CVS has been unbundled as of 2.271 (https://www.jenkins.io/changelog/#v2.271). So the next LTS ( based on 2.777 I guess) should allow you to uninstall CVS.
Björn mj1414...@gmail.com schrieb am Montag, 15. Februar 2021 um 18:45:54 UTC+1: > > Hello, > > the CVS plugin 2.11 has security warnings: > > - CSRF vulnerability > <https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1094> > - XXE vulnerability > <https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2146> > > I don't see an update and it is* "This plugin is up for adoption".* > > OTOH, I don't need it - we're using GIT and SVN. So I've tried to remove > it - so far in vain. > "Uninstall" from plugin manager - doesn't seem to do something. > Shut down Jenkins; removed in .../home/plugins cvs.jpi and the > cvs-directory. After restart they are both herr again. > > I assume, this is because the plugin is bundled with jenkins.war. (See > below) > > If this is the case: How do I remove it ? > If the bundled state is the problem, then should the plugins with security > issues and "open for adoption" be unbundeled, so users not needing it, can > get rid of it ? > > Regards > > Martin > > Yes, it is bundled in my understanding: > > >unzip -l jenkins2_263_3.war | grep pi > ... > 929025 01-25-2021 15:03 WEB-INF/detached-plugins/cvs.hpi > > *...* > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/38074bb8-412c-4637-a39c-c1595962fc6an%40googlegroups.com.
