Re: Jenkins upgrade from 2.250 to 2.275

2021-05-30 Thread 'Björn Pedersen' via Jenkins Users 
BTW, if you don't want to do too frequent updates (upgrade each week and 
check for all changes each time), I would consider switching to the LTS 
series (2.277.1 in your case).
Then such changes would be easier to find in the LTS changelog. 

Björn

Björn Pedersen schrieb am Montag, 31. Mai 2021 um 08:47:46 UTC+2:

> Hi,
>
> it seems you  did not upgrade all plugins as well. These effects are 
> caused by the tables-to-div migrations.
>
> See https://www.jenkins.io/doc/developer/views/table-to-div-migration/ 
> for more details...
>
> Björn
>
> s.p...@gmail.com schrieb am Montag, 31. Mai 2021 um 02:52:14 UTC+2:
>
>> After I upgraded Jenkins from 2.250 to 2.275, I noticed that the UI for 
>> the Jobs configuration looks different. The section for Source Code 
>> Management/Build Triggers/Build Environment/build/Post-build actions are 
>> missing at the top of the job configuration page and I see a couple of 
>> Artifactory configuration sections(tabs). Also, the SSH 
>> settings/configuration that we set up for each job are missing. Not sure 
>> how to turn off the Artifactory configuration and restore the SSH settings. 
>> Please the attached screenshots. Please help. TIA
>> Jenkins is running on Windows 2012R2 server.
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/34578c37-a274-42cd-83ab-8dcc2d023939n%40googlegroups.com.

Re: Out-of-date version(YUI)

2021-05-30 Thread Daniel Beck 



> On 30. May 2021, at 03:05, s.p...@gmail.com  wrote:
> 
> Affected versions of the package are vulnerable to Cross-site Scripting(XSS) 
> via .swf files, allowing arbitary code injection into hosting server 
> CVE-2012-5881 CVE-2012-5883
> 

While we include YUI, we do not include the vulnerable file.

Your scanner is trash.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/352C70D7-C6E1-4509-A543-ED44803A15D6%40beckweb.net.

Re: Out-of-date version(YUI)

2021-05-30 Thread Wadeck Follonier 
Hello there,

Nothing to care about at the moment for YUI as all the known 
vulnerabilities are related to the presence of the Flash files ("via .swf 
files"), they were removed from the library before it was included in 
Jenkins.
But the out-of-date status is still valid unfortunately.

Best regards,

Wadeck
On Monday, May 31, 2021 at 2:33:00 AM UTC+2 s.p...@gmail.com wrote:

> Thank you, Oleg. Thank you for sharing the link to report the 
> vulnerabilities. Appreciate your help!
>
> On Sunday, May 30, 2021 at 2:46:39 PM UTC-4 o.v.ne...@gmail.com wrote:
>
>> Hello,
>>
>> Thanks for your report. I will let the Jenkins security team members to 
>> comment on that. Just for your information, we have an official process for 
>> reporting security vulnerabilities. I highly recommend following this 
>> process. Please see 
>> https://www.jenkins.io/security/#reporting-vulnerabilities
>>
>> Best regards,
>> Oleg Nenashev
>>
>>
>>
>> On Sunday, May 30, 2021 at 3:05:00 AM UTC+2 s.p...@gmail.com wrote:
>>
>>> Our web scans shows out-of-date version(YUI) vulnerability. I'm not able 
>>> to find anything on how to remediate this finding. Any help is appreciated. 
>>> TIA
>>> Example :  /static/01babc68/scripts/yui/yahoo/yahoo-min.js 
>>> Affected versions of the package are vulnerable to Cross-site 
>>> Scripting(XSS) via .swf files, allowing arbitary code injection into 
>>> hosting server CVE-2012-5881 CVE-2012-5883
>>>
>>> *Jenkins version - 2.250 , windows 2012 server.*
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/7ce8af98-d252-4c46-bf84-5b82294db5aen%40googlegroups.com.

Re: Jenkins upgrade from 2.250 to 2.275

2021-05-30 Thread 'Björn Pedersen' via Jenkins Users 
Hi,

it seems you  did not upgrade all plugins as well. These effects are caused 
by the tables-to-div migrations.

See https://www.jenkins.io/doc/developer/views/table-to-div-migration/ for 
more details...

Björn

s.p...@gmail.com schrieb am Montag, 31. Mai 2021 um 02:52:14 UTC+2:

> After I upgraded Jenkins from 2.250 to 2.275, I noticed that the UI for 
> the Jobs configuration looks different. The section for Source Code 
> Management/Build Triggers/Build Environment/build/Post-build actions are 
> missing at the top of the job configuration page and I see a couple of 
> Artifactory configuration sections(tabs). Also, the SSH 
> settings/configuration that we set up for each job are missing. Not sure 
> how to turn off the Artifactory configuration and restore the SSH settings. 
> Please the attached screenshots. Please help. TIA
> Jenkins is running on Windows 2012R2 server.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/e82b848a-f9a0-4756-8424-e0205d881037n%40googlegroups.com.

Jenkins upgrade from 2.250 to 2.275

2021-05-30 Thread s.p...@gmail.com 
After I upgraded Jenkins from 2.250 to 2.275, I noticed that the UI for the 
Jobs configuration looks different. The section for Source Code 
Management/Build Triggers/Build Environment/build/Post-build actions are 
missing at the top of the job configuration page and I see a couple of 
Artifactory configuration sections(tabs). Also, the SSH 
settings/configuration that we set up for each job are missing. Not sure 
how to turn off the Artifactory configuration and restore the SSH settings. 
Please the attached screenshots. Please help. TIA
Jenkins is running on Windows 2012R2 server.


-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/b7470c7d-aa1c-4e60-a2ef-80642ccc21d2n%40googlegroups.com.

Re: Out-of-date version(YUI)

2021-05-30 Thread s.p...@gmail.com 
Thank you, Oleg. Thank you for sharing the link to report the 
vulnerabilities. Appreciate your help!

On Sunday, May 30, 2021 at 2:46:39 PM UTC-4 o.v.ne...@gmail.com wrote:

> Hello,
>
> Thanks for your report. I will let the Jenkins security team members to 
> comment on that. Just for your information, we have an official process for 
> reporting security vulnerabilities. I highly recommend following this 
> process. Please see 
> https://www.jenkins.io/security/#reporting-vulnerabilities
>
> Best regards,
> Oleg Nenashev
>
>
>
> On Sunday, May 30, 2021 at 3:05:00 AM UTC+2 s.p...@gmail.com wrote:
>
>> Our web scans shows out-of-date version(YUI) vulnerability. I'm not able 
>> to find anything on how to remediate this finding. Any help is appreciated. 
>> TIA
>> Example :  /static/01babc68/scripts/yui/yahoo/yahoo-min.js 
>> Affected versions of the package are vulnerable to Cross-site 
>> Scripting(XSS) via .swf files, allowing arbitary code injection into 
>> hosting server CVE-2012-5881 CVE-2012-5883
>>
>> *Jenkins version - 2.250 , windows 2012 server.*
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/551379fa-d0b6-401e-b369-dbc40721f587n%40googlegroups.com.

Re: Out-of-date version(YUI)

2021-05-30 Thread Oleg Nenashev 
Hello,

Thanks for your report. I will let the Jenkins security team members to 
comment on that. Just for your information, we have an official process for 
reporting security vulnerabilities. I highly recommend following this 
process. Please see 
https://www.jenkins.io/security/#reporting-vulnerabilities

Best regards,
Oleg Nenashev



On Sunday, May 30, 2021 at 3:05:00 AM UTC+2 s.p...@gmail.com wrote:

> Our web scans shows out-of-date version(YUI) vulnerability. I'm not able 
> to find anything on how to remediate this finding. Any help is appreciated. 
> TIA
> Example :  /static/01babc68/scripts/yui/yahoo/yahoo-min.js 
> Affected versions of the package are vulnerable to Cross-site 
> Scripting(XSS) via .swf files, allowing arbitary code injection into 
> hosting server CVE-2012-5881 CVE-2012-5883
>
> *Jenkins version - 2.250 , windows 2012 server.*
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/15aa21d3-4fa1-4ac9-8bc9-631a1a16982cn%40googlegroups.com.

Re: [IMPORTANT] plugins deprecation for Digester removal

2021-05-30 Thread Oleg Nenashev 
Thanks to Baptiste for bringing it up explicitly! Many plugins from the 
list can be fixed, and there are already pull requests created by Adrien 
Lecharpentier and Carroll Chiou. It would be great to help them landed, but 
many plugins are effectively abandoned. I highly recommend that the pull 
request authors ping maintainers about putting the plugin for adoption.

>From the list, I am particularly concerned about Code Coverage plugins 
which seemed to be actively used. If we could get their releases out, it 
would be awesome






On Saturday, May 29, 2021 at 12:18:37 AM UTC+2 Baptiste Mathus wrote:

> Hi all,
>
> We are about to remove a very old version of a library provided by Jenkins 
> Core: commons-digester:2.1.
>
> In practice, when we do this, *this will make the following plugins 
> unusable starting with the weekly and future LTS.*
>
> The plugins are :
>
>- emma ,
>- cloverphp , 
>- vs-code-metrics 
>, 
>- BlameSubversion 
>, 
>- javatest-report 
>, 
>- vss , 
>- genexus , 
>- synergy , 
>- config-rotator , 
>- harvest , 
>- cmvc  
>
> What can you do if you use one of the plugins above?
>
>- Say so in this thread. 
>- Preferably be ready to step up as maintainer. These plugins are 
>de-facto long abandoned, some for 5+ years, and hence anyway they're 
>already runtime risks in your instances.
>
>
> Thank you!
>
> -- Baptiste
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/4ca24760-4664-464f-ab76-f79ed0820fc0n%40googlegroups.com.