Uploads should be reenabled now: https://groups.google.com/d/msg/jenkinsci-dev/3UvrCTflXGk/gWT_tH7VAgAJ
On Sunday, June 14, 2020 at 2:48:20 PM UTC+2, Oleg Nenashev wrote: > > Please see > https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk for > the status updates. Yes, downloads are still blocked > > On Sun, Jun 14, 2020, 14:40 Roni Segal <[email protected]> wrote: > >> Hi any updates on the uploads? we still cannot upload our plugin >> >> On Tuesday, 9 June 2020 15:58:33 UTC+3, Oleg Nenashev wrote: >>> >>> Downloads are restored. Another workaround has been applied by Daniel in >>> https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , >>> so no user downloads are no longer broken. >>> Thanks a lot to Daniel Beck for the quick fix! >>> >>> Uploads are still blocked for everyone except a few users with >>> Artifactory-wide permissions. We will be reviewing our options and >>> communicating the next steps soon >>> >>> Best regards, >>> Oleg >>> >>> On Tuesday, June 9, 2020 at 2:29:39 PM UTC+2, Oleg Nenashev wrote: >>>> >>>> We are also experiencing issues with artifact downloads, likely a >>>> collateral damage after the change >>>> >>>> On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote: >>>>> >>>>> Hi all, >>>>> >>>>> An official update w.r.t this topic is coming soon. I confirm the >>>>> assessment by Dmitry, it is a potential security risk which was reported >>>>> on >>>>> multiple occasions. SECURITY-1895 is a report for this incident, and it >>>>> is >>>>> currently being investigated by the security team. >>>>> >>>>> Just to provide some updates: >>>>> >>>>> - As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" >>>>> location are prohibited. Plugin maintainers will get HTTP 409 when >>>>> they try >>>>> to upload releases. Incremental releases and snapshot deployment are >>>>> not >>>>> affected b this change >>>>> - We are reviewing all audit logs to confirm whether the potential >>>>> issue with uploads was exploited. According to the preliminary >>>>> analysis, >>>>> the answer is "no" >>>>> >>>>> Today at 3:30PM UTC we will also have a Jenkins Infrastructure team >>>>> meeting where this issue will be discussed in more details. Calendar >>>>> link >>>>> >>>>> Best regards, >>>>> Oleg Nenashev >>>>> Jenkins Security Team >>>>> >>>>> >>>>> >>>>> On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote: >>>>>> >>>>>> Do you guys plan to reach out to all the extension owners? >>>>>> >>>>>> We just accidentally found out about the issue: couldn't log in or >>>>>> reset password, and then found this thread. When we created a new >>>>>> account >>>>>> (42Crunch) for our company it just automatically assumed all access and >>>>>> extension ownership for the plugin that we had published a few weeks ago. >>>>>> >>>>>> This can be dangerous because someone might take over existing >>>>>> accounts of other vendors and then push malware updates to customers. >>>>>> >>>>>> Dmitry >>>>>> >>>>>> On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote: >>>>>>> >>>>>>> Yes, it is better to do password reset. >>>>>>> Admin UI in the Account App looks a bit strange for me, apparently I >>>>>>> cannot reset passwords for other users at the moment. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> I'm glad I checked here first! >>>>>>>> >>>>>>>> Same thing happened to me. My user id is: mezpahlan >>>>>>>> >>>>>>>> I registered more than 3 months ago but I *have* changed my >>>>>>>> password in the last 3 months and don't remember the old one any more. >>>>>>>> Do I >>>>>>>> need to password reset? >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote: >>>>>>>>> >>>>>>>>> Up until two days ago I was able to log into Jenkins LDAP without >>>>>>>>> issues. >>>>>>>>> Now if I try to login it says invalid password, and a password >>>>>>>>> reset attempt on https://accounts.jenkins.io/ isn't working (I >>>>>>>>> receive no email, even though password resets have worked for me in >>>>>>>>> the >>>>>>>>> past). >>>>>>>>> >>>>>>>>> Could someone help take a look? I'll send my username privately. >>>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to a topic in >>>>>>>> the Google Groups "Jenkins Developers" group. >>>>>>>> To unsubscribe from this topic, visit >>>>>>>> https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe >>>>>>>> . >>>>>>>> To unsubscribe from this group and all its topics, send an email to >>>>>>>> [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com >>>>>>>> >>>>>>>> <https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Jenkins Developers" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/ade980c3-7f73-4771-a14d-90bc25371eb7o%40googlegroups.com.
