Please see https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk for the status updates. Yes, downloads are still blocked
On Sun, Jun 14, 2020, 14:40 Roni Segal <[email protected]> wrote: > Hi any updates on the uploads? we still cannot upload our plugin > > On Tuesday, 9 June 2020 15:58:33 UTC+3, Oleg Nenashev wrote: >> >> Downloads are restored. Another workaround has been applied by Daniel in >> https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , >> so no user downloads are no longer broken. >> Thanks a lot to Daniel Beck for the quick fix! >> >> Uploads are still blocked for everyone except a few users with >> Artifactory-wide permissions. We will be reviewing our options and >> communicating the next steps soon >> >> Best regards, >> Oleg >> >> On Tuesday, June 9, 2020 at 2:29:39 PM UTC+2, Oleg Nenashev wrote: >>> >>> We are also experiencing issues with artifact downloads, likely a >>> collateral damage after the change >>> >>> On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote: >>>> >>>> Hi all, >>>> >>>> An official update w.r.t this topic is coming soon. I confirm the >>>> assessment by Dmitry, it is a potential security risk which was reported on >>>> multiple occasions. SECURITY-1895 is a report for this incident, and it is >>>> currently being investigated by the security team. >>>> >>>> Just to provide some updates: >>>> >>>> - As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" >>>> location are prohibited. Plugin maintainers will get HTTP 409 when they >>>> try >>>> to upload releases. Incremental releases and snapshot deployment are not >>>> affected b this change >>>> - We are reviewing all audit logs to confirm whether the potential >>>> issue with uploads was exploited. According to the preliminary analysis, >>>> the answer is "no" >>>> >>>> Today at 3:30PM UTC we will also have a Jenkins Infrastructure team >>>> meeting where this issue will be discussed in more details. Calendar >>>> link >>>> >>>> Best regards, >>>> Oleg Nenashev >>>> Jenkins Security Team >>>> >>>> >>>> >>>> On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote: >>>>> >>>>> Do you guys plan to reach out to all the extension owners? >>>>> >>>>> We just accidentally found out about the issue: couldn't log in or >>>>> reset password, and then found this thread. When we created a new account >>>>> (42Crunch) for our company it just automatically assumed all access and >>>>> extension ownership for the plugin that we had published a few weeks ago. >>>>> >>>>> This can be dangerous because someone might take over existing >>>>> accounts of other vendors and then push malware updates to customers. >>>>> >>>>> Dmitry >>>>> >>>>> On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote: >>>>>> >>>>>> Yes, it is better to do password reset. >>>>>> Admin UI in the Account App looks a bit strange for me, apparently I >>>>>> cannot reset passwords for other users at the moment. >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[email protected]> wrote: >>>>>> >>>>>>> I'm glad I checked here first! >>>>>>> >>>>>>> Same thing happened to me. My user id is: mezpahlan >>>>>>> >>>>>>> I registered more than 3 months ago but I *have* changed my >>>>>>> password in the last 3 months and don't remember the old one any more. >>>>>>> Do I >>>>>>> need to password reset? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote: >>>>>>>> >>>>>>>> Up until two days ago I was able to log into Jenkins LDAP without >>>>>>>> issues. >>>>>>>> Now if I try to login it says invalid password, and a password >>>>>>>> reset attempt on https://accounts.jenkins.io/ isn't working (I >>>>>>>> receive no email, even though password resets have worked for me in the >>>>>>>> past). >>>>>>>> >>>>>>>> Could someone help take a look? I'll send my username privately. >>>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to a topic in >>>>>>> the Google Groups "Jenkins Developers" group. >>>>>>> To unsubscribe from this topic, visit >>>>>>> https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe >>>>>>> . >>>>>>> To unsubscribe from this group and all its topics, send an email to >>>>>>> [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com >>>>>>> <https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Developers" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLAAdhYLm11AC2PZU-a1PMTJ0o6V4iirNypxn1x3RA_5eA%40mail.gmail.com.
