> Thanks, James. For the login plugin we have a pinned dependency in our pom.xml, so we plan on updating that so folks get a fixed version of Mailer if that isn't present on their Jenkins instance.
you do not need to do that - they would get a fixed version of mailer if it was not installed on their Jenkins instance in any case. > We also have a downstream distribution which pulls in 3rd party plugins, like blueocean. We noticed that this has a dependency tree which includes the Bitbucket branch plugin [1]. The current release predates the security fix and pins the branch plugin to 2.9.11, thus our current build doesn't get the patch. We can override plugin dependency versions on our side, but in an ideal world we would use a newer (fixed) version of blueocean. > How can we request a new build of the blueocean plugin? You can ask on the dev list - but as there is no issue in Blue Ocean and releasing it takes a non trivial amount of time, it is unlikely to happen (it is also only getting critical bug fixes, not general improvements as per https://groups.google.com/g/jenkinsci-users/c/xngZrSsXIjc/m/d606K7lHBgAJ ). /James On Wednesday, January 26, 2022 at 10:33:28 PM UTC [email protected] wrote: > Thanks, James. For the login plugin we have a pinned dependency in our > pom.xml, so we plan on updating that so folks get a fixed version of Mailer > if that isn't present on their Jenkins instance. > > We also have a downstream distribution which pulls in 3rd party plugins, > like blueocean. We noticed that this has a dependency tree which includes > the Bitbucket branch plugin [1]. The current release predates the security > fix and pins the branch plugin to 2.9.11, thus our current build doesn't > get the patch. We can override plugin dependency versions on our side, but > in an ideal world we would use a newer (fixed) version of blueocean. > > How can we request a new build of the blueocean plugin? > > [1] https://plugins.jenkins.io/cloudbees-bitbucket-branch-source/ > > On Wed, Jan 26, 2022 at 5:07 PM James Nord <[email protected]> wrote: > >> Hi Adam >> >> You don't have to do anything. >> >> Mostly as a security release of a plugin should not break API >> compatability. >> >> If someone installs your plugin then Jenkins will if the mailer plugin is >> not installed install the latest from the update center that it knows about >> >> You can choose to update the dependency in your pom to stop the GitHub >> security warning, but a release is not required. >> >> In other words think of plugin dependencies as runtime lower limits, not >> hard dependencies. >> >> /James >> On Wednesday, 26 January 2022 at 22:01:06 UTC [email protected] wrote: >> >>> Hi all, >>> >>> January's security advisory had several vulnerabilities disclosed in >>> plugins [1]. Some of these plugins are widely used and may be used as >>> dependencies in other plugins. For example, my team maintains the >>> openshift-login-plugin and we depend on Mailer, which was recently updated >>> with a security fix. >>> >>> What is the right thing to do if we observe that a released plugin >>> includes another vulnerabile plugin as a dependency? Does this warrant a >>> security issue? >>> >>> Thanks, >>> Adam >>> >>> [1] https://www.jenkins.io/security/advisory/2022-01-12/ >>> >>> -- >>> >>> Adam Kaplan >>> >>> He/Him >>> >>> Principal Software Engineer >>> >>> Red Hat <https://www.redhat.com> >>> >>> 100 E. Davie Street >>> >>> [email protected] T: 1-919-754-4843 >>> <https://www.redhat.com> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/e48740b3-2343-4484-9825-e16bf5041010n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jenkinsci-dev/e48740b3-2343-4484-9825-e16bf5041010n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > > Adam Kaplan > > He/Him > > Principal Software Engineer > > Red Hat <https://www.redhat.com> > > 100 E. Davie Street > > [email protected] T: 1-919-754-4843 > <https://www.redhat.com> > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5cf0e878-93ac-4414-97c7-42d9b78b64b2n%40googlegroups.com.
