CVS has been unbundled as of 2.271 (https://www.jenkins.io/changelog/#v2.271). So the next LTS ( based on 2.777 I guess) should allow you to uninstall CVS.
Björn [email protected] schrieb am Montag, 15. Februar 2021 um 18:45:54 UTC+1: > > Hello, > > the CVS plugin 2.11 has security warnings: > > - CSRF vulnerability > <https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1094> > - XXE vulnerability > <https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2146> > > I don't see an update and it is* "This plugin is up for adoption".* > > OTOH, I don't need it - we're using GIT and SVN. So I've tried to remove > it - so far in vain. > "Uninstall" from plugin manager - doesn't seem to do something. > Shut down Jenkins; removed in .../home/plugins cvs.jpi and the > cvs-directory. After restart they are both herr again. > > I assume, this is because the plugin is bundled with jenkins.war. (See > below) > > If this is the case: How do I remove it ? > If the bundled state is the problem, then should the plugins with security > issues and "open for adoption" be unbundeled, so users not needing it, can > get rid of it ? > > Regards > > Martin > > Yes, it is bundled in my understanding: > > >unzip -l jenkins2_263_3.war | grep pi > ... > 929025 01-25-2021 15:03 WEB-INF/detached-plugins/cvs.hpi > > *...* > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/38074bb8-412c-4637-a39c-c1595962fc6an%40googlegroups.com.
