Hi all, January's security advisory had several vulnerabilities disclosed in plugins [1]. Some of these plugins are widely used and may be used as dependencies in other plugins. For example, my team maintains the openshift-login-plugin and we depend on Mailer, which was recently updated with a security fix.
What is the right thing to do if we observe that a released plugin includes another vulnerabile plugin as a dependency? Does this warrant a security issue? Thanks, Adam [1] https://www.jenkins.io/security/advisory/2022-01-12/ -- Adam Kaplan He/Him Principal Software Engineer Red Hat <https://www.redhat.com> 100 E. Davie Street [email protected] T: 1-919-754-4843 <https://www.redhat.com> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CADmLb%2B%3Du59TK6MwACf-fbjya3Ky%2BKBJqZtOXGAw-5fdPQfrN-Q%40mail.gmail.com.
