[JIRA] [core] (JENKINS-32759) Update bundled Groovy version

2016-02-19 Thread te...@java.net (JIRA) 
Title: Message Title
 
 
 
 
 
 
 
 
 
 
  
 
 James Nord resolved as Duplicate 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 Jenkins /  JENKINS-32759 
 
 
 
  Update bundled Groovy version  
 
 
 
 
 
 
 
 
 

Change By:
 
 James Nord 
 
 
 

Status:
 
 Open Resolved 
 
 
 

Resolution:
 
 Duplicate 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Add Comment 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 
 
 

 This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) 
 
 
 
 
  
 
 
 
 
 
 
 
 
   





-- 
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[JIRA] [core] (JENKINS-32759) Update bundled Groovy version

2016-02-03 Thread ow...@cloudbees.com (JIRA) 
Title: Message Title
 
 
 
 
 
 
 
 
 
 
  
 
 Owen Wood created an issue 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 Jenkins /  JENKINS-32759 
 
 
 
  Update bundled Groovy version  
 
 
 
 
 
 
 
 
 

Issue Type:
 
  Improvement 
 
 
 

Assignee:
 

 Unassigned 
 
 
 

Components:
 

 core 
 
 
 

Created:
 

 04/Feb/16 2:02 AM 
 
 
 

Priority:
 
  Minor 
 
 
 

Reporter:
 
 Owen Wood 
 
 
 
 
 
 
 
 
 
 
 
We were evaluating a plugin that uses Groovy and discovered the version of  Groovy it uses has a published security advisory. Digging further we found it  was actually core Jenkins that provides Groovy. Our analysis: 
  The groovy version in use (1.8.9) does have a security advisory ( https://www.cvedetails.com/cve/CVE-2015-3253/ ). In all likeliness this is not patched; Apache (http://www.groovy-lang.org/security.html ) is hands-off prior to their takeover of 2.4.4. However, this version is not an issue with the plugin itself; the version is specified by Jenkins' POMs. In this case, the plugin uses 1.565.3 and gets groovy 1.8.9 transitively; even the very latest POM/API (1.585) is still at 1.8.9. It follows that every plugin already  installed utilizing groovy, and likely Jenkins core, is equally vulnerable. The vulnerability can be mitigated, if desired, by setting security policies (groovy is held to those policies just like 'regular' Java).   
We are asking for Jenkins to upgrade the provided Groovy version
 
https://github.com/jenkinsci/jenkins/blob/master/core/pom.xml#L44