As a plugin maintainer how should i do if i want to fix warning

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

As a plugin maintainer how should i do if i want to fix warning

liuweiGL
I want to fix the problem:

Dingding[钉钉] Plugin stores credentials in plain text 

SECURITY-1423 / CVE-2019-10433

Dingding[钉钉] Plugin stores an access token unencrypted in job config.xml files on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.

and how should i do? I can't find the issue from jenkins jira.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/3262bec6-0aea-4cda-a9d5-32bb45c5aa0f%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: As a plugin maintainer how should i do if i want to fix warning

Björn Pedersen


Am Sonntag, 19. Januar 2020 04:35:20 UTC+1 schrieb liuweiGL:
I want to fix the problem:

Dingding[钉钉] Plugin stores credentials in plain text <a href="https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1423" style="color:rgb(0,102,153);background-color:transparent;padding-left:0.375em;font-stretch:normal;font-size:1em;line-height:1;font-family:anchorjs-icons;padding-top:0.4em!important;padding-right:1em!important;padding-bottom:0.4em!important" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fsecurity%2Fadvisory%2F2019-10-01%2F%23SECURITY-1423\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDBpgp1PlZbZJkxK-QKwLlddjEQQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fsecurity%2Fadvisory%2F2019-10-01%2F%23SECURITY-1423\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDBpgp1PlZbZJkxK-QKwLlddjEQQ&#39;;return true;">

SECURITY-1423 / CVE-2019-10433

Dingding[钉钉] Plugin stores an access token unencrypted in job config.xml files on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.

and how should i do? I can't find the issue from jenkins jira.


You need to switch to a way to store the credentials encrypted .The canonical way is using the credentials plugin features.
(see the consumer guide there for details.) and https://jenkins.io/doc/developer/security/secrets/

See either https://jenkins.io/doc/developer/plugin-development/mark-a-plugin-incompatible/ or/and https://wiki.jenkins.io/display/JENKINS/Hint+on+retaining+backward+compatibility
for how to deal with the necessary changes to configuration.

Björn

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/97eaf6ee-a44e-4753-8263-2d5d96fd6015%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: As a plugin maintainer how should i do if i want to fix warning

Richard Bywater-3
In reply to this post by liuweiGL
Regarding the Jira issue portion of the question, I'm guessing that it's likely sitting in a protected issue within the SECURITY project in Jira. Hopefully Daniel Beck (the Jenkins security officer) or one of the security team will see this message and get in touch with further details of the vulnerability but guessing if you don't hear anything the you could try firing an email to [hidden email] which I believe is the security team's private mailing list.

Richard.

On Sun, 19 Jan 2020 at 16:35, liuweiGL <[hidden email]> wrote:
I want to fix the problem:

Dingding[钉钉] Plugin stores credentials in plain text 

SECURITY-1423 / CVE-2019-10433

Dingding[钉钉] Plugin stores an access token unencrypted in job config.xml files on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.

and how should i do? I can't find the issue from jenkins jira.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/3262bec6-0aea-4cda-a9d5-32bb45c5aa0f%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAAy0hwfDEJDAzZ2rRy_8ifzUoP-sZr%2BACc4Cmbk6y5WwAsm8Jw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: As a plugin maintainer how should i do if i want to fix warning

Daniel Beck-2

On Mon, Jan 20, 2020 at 9:23 AM Richard Bywater <[hidden email]> wrote:
Regarding the Jira issue portion of the question, I'm guessing that it's likely sitting in a protected issue within the SECURITY project in Jira. Hopefully Daniel Beck (the Jenkins security officer) or one of the security team will see this message and get in touch with further details of the vulnerability

I granted access to the private security issue to liu wei, but there's not really more information there, other than exactly what field in XML this is about; but between plugin code and advisory, this should be easy enough to determine anyway.

The advice in https://jenkins.io/doc/developer/security/secrets/ about how to fix it is what matters, and Björn already linked that (thanks!).

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLkMXyBhSUuimeM9P3t-CRTaCNs-BFsO_PbVVyNvz9c9A%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: As a plugin maintainer how should i do if i want to fix warning

liuweiGL
I had fixed the problem, and i want to close the related jenkins issue but i still can't find it.

在 2020年1月20日星期一 UTC+8下午4:36:41,Daniel Beck写道:

On Mon, Jan 20, 2020 at 9:23 AM Richard Bywater <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="tZyCuj6IEAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">ric...@...> wrote:
Regarding the Jira issue portion of the question, I'm guessing that it's likely sitting in a protected issue within the SECURITY project in Jira. Hopefully Daniel Beck (the Jenkins security officer) or one of the security team will see this message and get in touch with further details of the vulnerability

I granted access to the private security issue to liu wei, but there's not really more information there, other than exactly what field in XML this is about; but between plugin code and advisory, this should be easy enough to determine anyway.

The advice in <a href="https://jenkins.io/doc/developer/security/secrets/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fdoc%2Fdeveloper%2Fsecurity%2Fsecrets%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHoDx3jFHFuG5takQwMAZ7qblPBhg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fdoc%2Fdeveloper%2Fsecurity%2Fsecrets%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHoDx3jFHFuG5takQwMAZ7qblPBhg&#39;;return true;">https://jenkins.io/doc/developer/security/secrets/ about how to fix it is what matters, and Björn already linked that (thanks!).

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/1b49880a-9852-437c-9d43-dcc3cd834f87%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: As a plugin maintainer how should i do if i want to fix warning

liuweiGL
In reply to this post by Björn Pedersen
Thank you.

在 2020年1月20日星期一 UTC+8下午3:41:07,Björn Pedersen写道:


Am Sonntag, 19. Januar 2020 04:35:20 UTC+1 schrieb liuweiGL:
I want to fix the problem:

Dingding[钉钉] Plugin stores credentials in plain text <a href="https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1423" style="color:rgb(0,102,153);background-color:transparent;padding-left:0.375em;font-stretch:normal;font-size:1em;line-height:1;font-family:anchorjs-icons;padding-top:0.4em!important;padding-right:1em!important;padding-bottom:0.4em!important" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fsecurity%2Fadvisory%2F2019-10-01%2F%23SECURITY-1423\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDBpgp1PlZbZJkxK-QKwLlddjEQQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fsecurity%2Fadvisory%2F2019-10-01%2F%23SECURITY-1423\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDBpgp1PlZbZJkxK-QKwLlddjEQQ&#39;;return true;">

SECURITY-1423 / CVE-2019-10433

Dingding[钉钉] Plugin stores an access token unencrypted in job config.xml files on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.

and how should i do? I can't find the issue from jenkins jira.


You need to switch to a way to store the credentials encrypted .The canonical way is using the credentials plugin features.
Doc: <a href="https://github.com/jenkinsci/credentials-plugin/tree/master/docs" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fcredentials-plugin%2Ftree%2Fmaster%2Fdocs\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE7cSTpyEOx9zeX4qMGUCOrzpu9eg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fcredentials-plugin%2Ftree%2Fmaster%2Fdocs\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE7cSTpyEOx9zeX4qMGUCOrzpu9eg&#39;;return true;">Credentials plugin documentation
(see the consumer guide there for details.) and <a href="https://jenkins.io/doc/developer/security/secrets/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fdoc%2Fdeveloper%2Fsecurity%2Fsecrets%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHoDx3jFHFuG5takQwMAZ7qblPBhg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fdoc%2Fdeveloper%2Fsecurity%2Fsecrets%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHoDx3jFHFuG5takQwMAZ7qblPBhg&#39;;return true;">https://jenkins.io/doc/developer/security/secrets/

See either <a href="https://jenkins.io/doc/developer/plugin-development/mark-a-plugin-incompatible/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fdoc%2Fdeveloper%2Fplugin-development%2Fmark-a-plugin-incompatible%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH4Mzjppe03EhOMGDho8_GkiYv3kw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fdoc%2Fdeveloper%2Fplugin-development%2Fmark-a-plugin-incompatible%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH4Mzjppe03EhOMGDho8_GkiYv3kw&#39;;return true;">https://jenkins.io/doc/developer/plugin-development/mark-a-plugin-incompatible/ or/and <a href="https://wiki.jenkins.io/display/JENKINS/Hint+on+retaining+backward+compatibility" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwiki.jenkins.io%2Fdisplay%2FJENKINS%2FHint%2Bon%2Bretaining%2Bbackward%2Bcompatibility\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFuZI7Oiu2vgd56sluh_JcdbonebA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwiki.jenkins.io%2Fdisplay%2FJENKINS%2FHint%2Bon%2Bretaining%2Bbackward%2Bcompatibility\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFuZI7Oiu2vgd56sluh_JcdbonebA&#39;;return true;">https://wiki.jenkins.io/display/JENKINS/Hint+on+retaining+backward+compatibility
for how to deal with the necessary changes to configuration.

Björn

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/1cba6258-1c55-4391-80e8-dae1782ce3f3%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: As a plugin maintainer how should i do if i want to fix warning

liuweiGL
In reply to this post by Richard Bywater-3
Thank you too.

在 2020年1月20日星期一 UTC+8下午4:23:40,Richard Bywater写道:
Regarding the Jira issue portion of the question, I'm guessing that it's likely sitting in a protected issue within the SECURITY project in Jira. Hopefully Daniel Beck (the Jenkins security officer) or one of the security team will see this message and get in touch with further details of the vulnerability but guessing if you don't hear anything the you could try firing an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="GxmRtYiHEAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkins...@googlegroups.com which I believe is the security team's private mailing list.

Richard.

On Sun, 19 Jan 2020 at 16:35, liuweiGL <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="GxmRtYiHEAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">liuwe...@...> wrote:
I want to fix the problem:

Dingding[钉钉] Plugin stores credentials in plain text <a href="https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1423" style="color:rgb(0,102,153);background-color:transparent;padding:0.4em 1em 0.4em 0.375em;font-stretch:normal;font-size:1em;line-height:1;font-family:anchorjs-icons" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fsecurity%2Fadvisory%2F2019-10-01%2F%23SECURITY-1423\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDBpgp1PlZbZJkxK-QKwLlddjEQQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fsecurity%2Fadvisory%2F2019-10-01%2F%23SECURITY-1423\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDBpgp1PlZbZJkxK-QKwLlddjEQQ&#39;;return true;">

SECURITY-1423 / CVE-2019-10433

Dingding[钉钉] Plugin stores an access token unencrypted in job config.xml files on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.

and how should i do? I can't find the issue from jenkins jira.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="GxmRtYiHEAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/3262bec6-0aea-4cda-a9d5-32bb45c5aa0f%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/3262bec6-0aea-4cda-a9d5-32bb45c5aa0f%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/3262bec6-0aea-4cda-a9d5-32bb45c5aa0f%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/3262bec6-0aea-4cda-a9d5-32bb45c5aa0f%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b143325f-17b6-4eb5-8420-9740d5439f39%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: As a plugin maintainer how should i do if i want to fix warning

Daniel Beck-2
In reply to this post by liuweiGL
On Mon, Jan 20, 2020 at 1:52 PM liuweiGL <[hidden email]> wrote:
I had fixed the problem, and i want to close the related jenkins issue but i still can't find it.

The issue is at https://issues.jenkins-ci.org/browse/SECURITY-1423 and I granted you access and sent you a notification about it via Jira.

Once we publish a security issue (fixed or not), we close it in Jira, as there is no longer a need to track it in private. So there is no issue to close here. If you want to track the fix now in public, you need to create a new issue.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BpYhhNP1D0Jh3D_CSgOFAC4DqaJajneGLPqUZ_aGnADw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: As a plugin maintainer how should i do if i want to fix warning

liuweiGL
Okay, thanks for your patience.

在 2020年1月20日星期一 UTC+8下午10:18:32,Daniel Beck写道:
On Mon, Jan 20, 2020 at 1:52 PM liuweiGL <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="9EuiXeaaEAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">liuwe...@...> wrote:
I had fixed the problem, and i want to close the related jenkins issue but i still can't find it.

The issue is at <a href="https://issues.jenkins-ci.org/browse/SECURITY-1423" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FSECURITY-1423\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNElMmtCAgnIq3SgRfP-PXIsgvYD7w&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FSECURITY-1423\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNElMmtCAgnIq3SgRfP-PXIsgvYD7w&#39;;return true;">https://issues.jenkins-ci.org/browse/SECURITY-1423 and I granted you access and sent you a notification about it via Jira.

Once we publish a security issue (fixed or not), we close it in Jira, as there is no longer a need to track it in private. So there is no issue to close here. If you want to track the fix now in public, you need to create a new issue.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/61131a86-e97c-4e18-8fb7-23f26a797188%40googlegroups.com.