[JIRA] (JENKINS-41909) Check updates failure: CertificateExpiredException
Title: Message Title Dmitry Erastov commented on JENKINS-41909 Re: Check updates failure: CertificateExpiredException The error is gone now. I don't have the mirror info in jenkins.log, just the stack trace. How can I find out what the requested URL was? On a different note, based on my search of the existing tickets, this has occurred before, and seems like more graceful handling of these types of errors would be nice. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-41909) Check updates failure: CertificateExpiredException
Title: Message Title Dmitry Erastov created an issue Jenkins / JENKINS-41909 Check updates failure: CertificateExpiredException Issue Type: Bug Assignee: Unassigned Components: core Created: 2017/Feb/09 10:16 PM Environment: Jenkins 2.44 Amazon Linux kernel 4.4.41-36.55.amzn1.x86_64 OpenJDK 1.8.0_121-b13 Labels: updateCenter ssl certificate Priority: Major Reporter: Dmitry Erastov A stack trace is shown when checking for updates: java.security.cert.CertificateExpiredException: NotAfter: Thu Feb 09 03:41:22 UTC 2017 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:190) at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) Caused: java.security.cert.CertPathValidatorException: timestamp check failed at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) at
[JIRA] (JENKINS-23685) Bitbucket Plugin to support Pull Request POST hook Management
Title: Message Title Dmitry Erastov edited a comment on JENKINS-23685 Re: Bitbucket Plugin to support Pull Request POST hook Management Is this still the case? It appears to be, because even though I have both pushed changes and created/updated PRs set as webhook triggers in Bitbucket, I only seem to get payloads that relate to pushed commits; nothing that looks like [pull requests payloads ]( | https://confluence.atlassian.com/bitbucket/event-payloads-740262817.html#EventPayloads-Pullrequestevents ) ] . Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-23685) Bitbucket Plugin to support Pull Request POST hook Management
Title: Message Title Dmitry Erastov commented on JENKINS-23685 Re: Bitbucket Plugin to support Pull Request POST hook Management Is this still the case? It appears to be, because even though I have both pushed changes and created/updated PRs set as webhook triggers in Bitbucket, I only seem to get payloads that relate to pushed commits; nothing that looks like [pull requests payloads](https://confluence.atlassian.com/bitbucket/event-payloads-740262817.html#EventPayloads-Pullrequestevents). Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-38258) covcomplplot-plugin unnecessarily depends on Subversion
Title: Message Title Dmitry Erastov updated an issue Jenkins / JENKINS-38258 covcomplplot-plugin unnecessarily depends on Subversion Change By: Dmitry Erastov I'd like to disable the Subversion plugin in my Jenkins installation, and the only plugin that's consuming it right now is the Coverage/Complexity Scatter Plot.I'm not an expert on how Jenkins plugins work, but it seems the sole reason for this is that the plugin's pom.xml [references ]( | https://github.com/jenkinsci/covcomplplot-plugin/blob/master/pom.xml#L40 ) ] an old svn repo for Powermock. This has since moved to Github, so it would seem that the repo URL needs to be updated (or removed, if the library is available from the core Jenkins repo). I didn't find any other references to Subversion in the plugin's source code.Can someone confirm this analysis? Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe
[JIRA] (JENKINS-38258) covcomplplot-plugin unnecessarily depends on Subversion
Title: Message Title Dmitry Erastov created an issue Jenkins / JENKINS-38258 covcomplplot-plugin unnecessarily depends on Subversion Issue Type: Bug Assignee: Unassigned Components: covcomplplot-plugin Created: 2016/Sep/15 9:40 PM Environment: Jenkins 2.22 Coverage/Complexity Scatter Plot PlugIn 1.1.1 Labels: subversion dependencies plugin coverage Priority: Minor Reporter: Dmitry Erastov I'd like to disable the Subversion plugin in my Jenkins installation, and the only plugin that's consuming it right now is the Coverage/Complexity Scatter Plot. I'm not an expert on how Jenkins plugins work, but it seems the sole reason for this is that the plugin's pom.xml [references](https://github.com/jenkinsci/covcomplplot-plugin/blob/master/pom.xml#L40) an old svn repo for Powermock. This has since moved to Github, so it would seem that the repo URL needs to be updated (or removed, if the library is available from the core Jenkins repo). I didn't find any other references to Subversion in the plugin's source code. Can someone confirm this analysis?
[JIRA] (JENKINS-35514) Ability to disable script console
Title: Message Title Dmitry Erastov commented on JENKINS-35514 Re: Ability to disable script console My original point was that even though the individual vulnerabilities or even vulnerability classes have been since fixed, the console still provides very broad privileges on the local Jenkins installation (and potentially local system, if the run-as user is misconfigured). If a particular team doesn't use the console, why should they have this potential security risk? Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-35514) Ability to disable script console
Title: Message Title Dmitry Erastov created an issue Jenkins / JENKINS-35514 Ability to disable script console Issue Type: Improvement Assignee: Unassigned Components: core Created: 2016/Jun/09 9:23 PM Labels: security script console Priority: Minor Reporter: Dmitry Erastov The administrative script console allows very broad access to Jenkins, and this has been a source of vulnerabilities in the past, e.g. https://www.rapid7.com/db/modules/exploit/multi/http/jenkins_script_console https://duckduckgo.com/?q=jenkins+script+console+java+execution=web My team never uses this feature, and we'd like to reduce our attack surface by disabling the console completely, preferably from the system-level Jenkins config (/etc/sysconfig/jenkins on Linux). Is there an existing undocumented option for that? If not, will it be possible to add such an option? We do have mandatory auth and access control, but still would like to disable this feature.
