Hello, the CVS plugin 2.11 has security warnings:
- CSRF vulnerability <https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1094> - XXE vulnerability <https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2146> I don't see an update and it is* "This plugin is up for adoption".* OTOH, I don't need it - we're using GIT and SVN. So I've tried to remove it - so far in vain. "Uninstall" from plugin manager - doesn't seem to do something. Shut down Jenkins; removed in .../home/plugins cvs.jpi and the cvs-directory. After restart they are both herr again. I assume, this is because the plugin is bundled with jenkins.war. (See below) If this is the case: How do I remove it ? If the bundled state is the problem, then should the plugins with security issues and "open for adoption" be unbundeled, so users not needing it, can get rid of it ? Regards Martin Yes, it is bundled in my understanding: >unzip -l jenkins2_263_3.war | grep pi ... 929025 01-25-2021 15:03 WEB-INF/detached-plugins/cvs.hpi *...* -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/82642740-3f2d-4110-be24-f7ceb5e91f8en%40googlegroups.com.
