OK, that's embarassing. Indeed we haven't figured out how to communicate security problems to plugin developers. Sometimes it's not obvious who to talk to, and even when it is obvious, we haven't configured JIRA to let us grant read access on issue-by-issue basis.
Issues not getting a timely enough attention is unfortunate, but aside from trying to add more people to the jenkinsci-cert group (which we are always trying), I'm not sure how to resolve that. Daniel, given the level of activity you commit in the core, I feel like you could help us fixing those issues, in addition to finding them. 2014/1/10 Daniel Beck <[email protected]> > On 10.01.2014, at 18:11, teilo <[email protected]> wrote: > > > Have you helped to improve this situation by actually reporting them via > the proper channels? > > Yes. That's why I consider the resolution process to be broken. The > "proper channels" don't work. > > The first security issue I reported was SECURITY-35 in email-ext > (installed on 30% of all instances) which I re-filed publicly as > JENKINS-15213 after getting no response for three months. The email-ext > author informed me he didn't receive any information from those with access > to the private issue tracker and quickly fixed the problem. Another five > months later, a response to SECURITY-35 arrived, explaining that, because > the process was broken, some issues were overlooked. > > Then there's the ongoing SECURITY-87: I reported that anyone can trivially > DoS any Jenkins instance (including those where anonymous has no > permissions) on 13 Aug 2013. AFAICT the problem persists. Sure, it's not > privilege escalation, but still annoying if you're running a public > instance. > > Another example of a security issue in current LTS is JENKINS-20800, which > I originally reported to Cloudbees Enterprise support in a non-security > context (so it was filed publicly). I only later found it to be trivially > exploitable on any Jenkins instance by anyone. Four weeks ago, the fix was > backported early to LTS, likely because I asked for it on the dev list. But > 1.532.2 still doesn't even have an RC. Should I have reported it separately > as a security issue? Maybe, but the developers were aware of this issue, > and by then I'd mostly given up on "proper channels". > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Kohsuke Kawaguchi -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
