Draft JEP: Switch Remoting/XStream blacklist to a whitelist

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Draft JEP: Switch Remoting/XStream blacklist to a whitelist

Jesse Glick-4
After some discussion within the CERT team, I am happy to propose

https://github.com/jenkinsci/jep/pull/23/files?short_path=b956eee

as a security hardening measure going forward.

(Yes I know the JEP process itself has not been formally adopted yet,
but I figured it could not hurt to start exercising it.)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0FOgyQTcW4KxpsPjMaeCy2c1mb1hofb6moW7j2VV5FAg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Draft JEP: Switch Remoting/XStream blacklist to a whitelist

Liam Newman
This submission has been approved as Draft JEP-200. 

 https://github.com/jenkinsci/jep/tree/jep-200


On Monday, October 30, 2017 at 3:10:25 PM UTC-7, Jesse Glick wrote:
After some discussion within the CERT team, I am happy to propose

<a href="https://github.com/jenkinsci/jep/pull/23/files?short_path=b956eee" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fjep%2Fpull%2F23%2Ffiles%3Fshort_path%3Db956eee\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGGpJaLXqN41TbJ-t4B5bcPGox4wg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fjep%2Fpull%2F23%2Ffiles%3Fshort_path%3Db956eee\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGGpJaLXqN41TbJ-t4B5bcPGox4wg&#39;;return true;">https://github.com/jenkinsci/jep/pull/23/files?short_path=b956eee

as a security hardening measure going forward.

(Yes I know the JEP process itself has not been formally adopted yet,
but I figured it could not hurt to start exercising it.)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/2235e6ad-4b66-485b-b405-83aa277fe9ea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.