Hi any updates on the uploads? we still cannot upload our plugin On Tuesday, 9 June 2020 15:58:33 UTC+3, Oleg Nenashev wrote: > > Downloads are restored. Another workaround has been applied by Daniel in > https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , > so no user downloads are no longer broken. > Thanks a lot to Daniel Beck for the quick fix! > > Uploads are still blocked for everyone except a few users with > Artifactory-wide permissions. We will be reviewing our options and > communicating the next steps soon > > Best regards, > Oleg > > On Tuesday, June 9, 2020 at 2:29:39 PM UTC+2, Oleg Nenashev wrote: >> >> We are also experiencing issues with artifact downloads, likely a >> collateral damage after the change >> >> On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote: >>> >>> Hi all, >>> >>> An official update w.r.t this topic is coming soon. I confirm the >>> assessment by Dmitry, it is a potential security risk which was reported on >>> multiple occasions. SECURITY-1895 is a report for this incident, and it is >>> currently being investigated by the security team. >>> >>> Just to provide some updates: >>> >>> - As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" >>> location are prohibited. Plugin maintainers will get HTTP 409 when they >>> try >>> to upload releases. Incremental releases and snapshot deployment are not >>> affected b this change >>> - We are reviewing all audit logs to confirm whether the potential >>> issue with uploads was exploited. According to the preliminary analysis, >>> the answer is "no" >>> >>> Today at 3:30PM UTC we will also have a Jenkins Infrastructure team >>> meeting where this issue will be discussed in more details. Calendar >>> link >>> >>> Best regards, >>> Oleg Nenashev >>> Jenkins Security Team >>> >>> >>> >>> On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote: >>>> >>>> Do you guys plan to reach out to all the extension owners? >>>> >>>> We just accidentally found out about the issue: couldn't log in or >>>> reset password, and then found this thread. When we created a new account >>>> (42Crunch) for our company it just automatically assumed all access and >>>> extension ownership for the plugin that we had published a few weeks ago. >>>> >>>> This can be dangerous because someone might take over existing accounts >>>> of other vendors and then push malware updates to customers. >>>> >>>> Dmitry >>>> >>>> On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote: >>>>> >>>>> Yes, it is better to do password reset. >>>>> Admin UI in the Account App looks a bit strange for me, apparently I >>>>> cannot reset passwords for other users at the moment. >>>>> >>>>> >>>>> >>>>> On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[email protected]> wrote: >>>>> >>>>>> I'm glad I checked here first! >>>>>> >>>>>> Same thing happened to me. My user id is: mezpahlan >>>>>> >>>>>> I registered more than 3 months ago but I *have* changed my password >>>>>> in the last 3 months and don't remember the old one any more. Do I need >>>>>> to >>>>>> password reset? >>>>>> >>>>>> Thanks >>>>>> >>>>>> On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote: >>>>>>> >>>>>>> Up until two days ago I was able to log into Jenkins LDAP without >>>>>>> issues. >>>>>>> Now if I try to login it says invalid password, and a password reset >>>>>>> attempt on https://accounts.jenkins.io/ isn't working (I receive no >>>>>>> email, even though password resets have worked for me in the past). >>>>>>> >>>>>>> Could someone help take a look? I'll send my username privately. >>>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to a topic in >>>>>> the Google Groups "Jenkins Developers" group. >>>>>> To unsubscribe from this topic, visit >>>>>> https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe >>>>>> . >>>>>> To unsubscribe from this group and all its topics, send an email to >>>>>> [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>
-- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com.
