Re: CVE-2023-50164 Struts question

2024-02-26 Thread 'Daniel Beck' via Jenkins Developers 
On Fri, Dec 22, 2023 at 4:26 PM 'wfoll...@cloudbees.com' via Jenkins
Developers  wrote:

> Now, if you are not sure, you can still contact the security team, but I
> will ask you to provide more details, like which plugin, which CVE, and
> your doubts.
>

After discussing with Wadeck, I'd like to clarify our position:

The Jenkins security team does not generally answer questions about
publicly known vulnerabilities in libraries that may not even be used
anywhere in Jenkins. Any number of commercial or free dependency scanners
can provide an answer. This basically falls into the category of compliance
question/questionnaire (see the highlighted block here
).

For vulnerable libraries determined to actually be dependencies, per
our reporting
guidelines , we do
not consider vulnerabilities in dependencies to be vulnerabilities in
Jenkins unless reporters can demonstrate exploitation, or at least explain
how it *might* work (or it's really obvious). Unfortunately we get too many
folks just dumping unfiltered dependency scanner output into our issue
tracker, so we need to be pretty restrictive here due to our
limited capacity. Similar limitations apply to reports of vulnerabilities
in OS libraries in Docker images
.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ6uA2As806KHtahDdrNpERi299xrB-vxE6HU6AzmkW4g%40mail.gmail.com.

Re: Adopt plugin openid-plugin

2024-02-26 Thread Michael Nazzareno Trimarchi 
Hi

On Tue, Feb 27, 2024 at 7:49 AM 'Kevin Guerroudj' via Jenkins
Developers  wrote:
>
> Hi Michael,
>
> Indeed it seems you're right, OpenID 2.0 doesn't use a state parameter.
> However, you should still possible to implements a protection against this 
> CSRF attack using the openid.return_to parameter.
> An optional parameter where the OpenID Provider should redirect the 
> user-agent after authentication which can include additional context about 
> the request by attaching query parameters 
> (https://openid.net/specs/openid-authentication-2_0.html#positive_assertions).
>

return_to is mandatory to send to openid protocol and I think that
verification is already in process for the redirect url

Michael

> On Friday, February 23, 2024 at 3:56:48 PM UTC+1 Michael Nazzareno Trimarchi 
> wrote:
>>
>> Hi all
>>
>> I have question about vulnerability in particular the
>> CSRF vulnerability in OpenID Plugin
>>
>> The openid does not use state in protocolo so there is no concept of
>> it but a concept nounce and reading the openid 2.0 that is not
>> supposed to be. Can I know more information about it?
>>
>> Michael
>>
>> On Mon, Feb 19, 2024 at 2:19 PM Michael Nazzareno Trimarchi
>>  wrote:
>> >
>> > Hi Daniel, all
>> >
>> > On Mon, Feb 19, 2024 at 2:12 PM 'Daniel Beck' via Jenkins Developers
>> >  wrote:
>> > >
>> > >
>> > > On Sun, Feb 18, 2024 at 5:56 PM Adrien Lecharpentier 
>> > >  wrote:
>> > >>
>> > >> Please note that the plugin has multiple public security issues. I'm 
>> > >> sure the security team will require you to resolve them before any 
>> > >> release can be deployed.
>> > >
>> > >
>> > > While we definitely prefer that (new) maintainers address unresolved 
>> > > vulnerabilities as early as possible, we do not generally require that 
>> > > for new releases, with two exceptions:
>> > >
>> > > * Plugins blocked from releasing because we identified a vulnerability 
>> > > introduced since the latest release. Look for "releaseblock" in RPU for 
>> > > examples.
>> > > * Unsuspending plugins. In terms of security, we consider that to be 
>> > > similar to new plugin hosting, so to restore publication, we ask that 
>> > > security issues (publicly known or not) be addressed first.
>> > >
>> > > For anything else, the security warnings shown in Jenkins and on the 
>> > > plugins site will remain active even for new releases.
>> > >
>> > > Some (few) plugins are actively maintained while not addressing 
>> > > previously announced security vulnerabilities. Administrators can make 
>> > > an informed decision on whether they want to install (or keep installed) 
>> > > such plugins.
>> > >
>> > > --
>> > > You received this message because you are subscribed to the Google 
>> > > Groups "Jenkins Developers" group.
>> > > To unsubscribe from this group and stop receiving emails from it, send 
>> > > an email to jenkinsci-de...@googlegroups.com.
>> > > To view this discussion on the web visit 
>> > > https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLDhhbUEHA-YvAARisdpvdAq59CC4Wkn8ET771bvoFSXw%40mail.gmail.com.
>> >
>> > Working to address vulnerabilities.
>> >
>> > Michael
>> >
>> >
>> > --
>> > Michael Nazzareno Trimarchi
>> > Co-Founder & Chief Executive Officer
>> > M. +39 347 913 2170
>> > mic...@amarulasolutions.com
>> > __
>> >
>> > Amarula Solutions BV
>> > Joop Geesinkweg 125, 1114 AB, Amsterdam, NL
>> > T. +31 (0)85 111 9172
>> > in...@amarulasolutions.com
>> > www.amarulasolutions.com
>>
>>
>>
>> --
>> Michael Nazzareno Trimarchi
>> Co-Founder & Chief Executive Officer
>> M. +39 347 913 2170
>> mic...@amarulasolutions.com
>> __
>>
>> Amarula Solutions BV
>> Joop Geesinkweg 125, 1114 AB, Amsterdam, NL
>> T. +31 (0)85 111 9172
>> in...@amarulasolutions.com
>> www.amarulasolutions.com
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/517f803a-036f-4593-b190-21b5f43f2a5en%40googlegroups.com.



-- 
Michael Nazzareno Trimarchi
Co-Founder & Chief Executive Officer
M. +39 347 913 2170
mich...@amarulasolutions.com
__

Amarula Solutions BV
Joop Geesinkweg 125, 1114 AB, Amsterdam, NL
T. +31 (0)85 111 9172
i...@amarulasolutions.com
www.amarulasolutions.com

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAOf5uwkLb0qbB8cLJCWgbig773CZCzvdWPvAY0ykeJs%3DKRXoEA%40mail.gmail.com.

Re: Adopt plugin openid-plugin

2024-02-26 Thread 'Kevin Guerroudj' via Jenkins Developers 
 Hi Michael,

Indeed it seems you're right, OpenID 2.0 doesn't use a state parameter.
However, you should still possible to implements a protection against this 
CSRF attack using the openid.return_to 
 
parameter.
An optional parameter where the OpenID Provider should redirect the 
user-agent after authentication which can include additional context about 
the request by attaching query parameters 
(https://openid.net/specs/openid-authentication-2_0.html#positive_assertions).

On Friday, February 23, 2024 at 3:56:48 PM UTC+1 Michael Nazzareno 
Trimarchi wrote:

> Hi all
>
> I have question about vulnerability in particular the
> CSRF vulnerability in OpenID Plugin
>
> The openid does not use state in protocolo so there is no concept of
> it but a concept nounce and reading the openid 2.0 that is not
> supposed to be. Can I know more information about it?
>
> Michael
>
> On Mon, Feb 19, 2024 at 2:19 PM Michael Nazzareno Trimarchi
>  wrote:
> >
> > Hi Daniel, all
> >
> > On Mon, Feb 19, 2024 at 2:12 PM 'Daniel Beck' via Jenkins Developers
> >  wrote:
> > >
> > >
> > > On Sun, Feb 18, 2024 at 5:56 PM Adrien Lecharpentier <
> adrien.lec...@gmail.com> wrote:
> > >>
> > >> Please note that the plugin has multiple public security issues. I'm 
> sure the security team will require you to resolve them before any release 
> can be deployed.
> > >
> > >
> > > While we definitely prefer that (new) maintainers address unresolved 
> vulnerabilities as early as possible, we do not generally require that for 
> new releases, with two exceptions:
> > >
> > > * Plugins blocked from releasing because we identified a vulnerability 
> introduced since the latest release. Look for "releaseblock" in RPU for 
> examples.
> > > * Unsuspending plugins. In terms of security, we consider that to be 
> similar to new plugin hosting, so to restore publication, we ask that 
> security issues (publicly known or not) be addressed first.
> > >
> > > For anything else, the security warnings shown in Jenkins and on the 
> plugins site will remain active even for new releases.
> > >
> > > Some (few) plugins are actively maintained while not addressing 
> previously announced security vulnerabilities. Administrators can make an 
> informed decision on whether they want to install (or keep installed) such 
> plugins.
> > >
> > > --
> > > You received this message because you are subscribed to the Google 
> Groups "Jenkins Developers" group.
> > > To unsubscribe from this group and stop receiving emails from it, send 
> an email to jenkinsci-de...@googlegroups.com.
> > > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLDhhbUEHA-YvAARisdpvdAq59CC4Wkn8ET771bvoFSXw%40mail.gmail.com
> .
> >
> > Working to address vulnerabilities.
> >
> > Michael
> >
> >
> > --
> > Michael Nazzareno Trimarchi
> > Co-Founder & Chief Executive Officer
> > M. +39 347 913 2170 <+39%20347%20913%202170>
> > mic...@amarulasolutions.com
> > __
> >
> > Amarula Solutions BV
> > Joop Geesinkweg 125, 1114 AB, Amsterdam, NL
> > T. +31 (0)85 111 9172 <+31%2085%20111%209172>
> > in...@amarulasolutions.com
> > www.amarulasolutions.com
>
>
>
> -- 
> Michael Nazzareno Trimarchi
> Co-Founder & Chief Executive Officer
> M. +39 347 913 2170 <+39%20347%20913%202170>
> mic...@amarulasolutions.com
> __
>
> Amarula Solutions BV
> Joop Geesinkweg 125, 1114 AB, Amsterdam, NL
> T. +31 (0)85 111 9172 <+31%2085%20111%209172>
> in...@amarulasolutions.com
> www.amarulasolutions.com
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/517f803a-036f-4593-b190-21b5f43f2a5en%40googlegroups.com.