Vulnerability in JQuery on Jenkins

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerability in JQuery on Jenkins

Eric Fetzer
Hi All,

Just got gigged by our security team for a vulnerability in Jenkins with the version of JQuery installed.  How do I go about updating the version of JQuery Jenkins runs?  Here's the specifics of the vulnerability:

Plugin Output: 
  URL               : http://myMachine:8081/js/jquery-1.11.1.min.js
  Installed version : 1.11.1
  Fixed version     : 3.5.0

I'm running version 2.235.5 of Jenkins.

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/13c921b1-02f4-4f00-a474-266fe766ced0n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability in JQuery on Jenkins

vince bailey
Hi All,

You need to go to min 2.241 or 2.251 there are security issues on older version.

docker containers
jenkins/jenkins:2.241
jenkins/jenkins:2.51

or go to this website



-- 
Regards,

Vince Bailey

Live long and prosper !!!







On 26 Aug 2020, at 15:38, eric....@gmail.com <[hidden email]> wrote:

Hi All,

Just got gigged by our security team for a vulnerability in Jenkins with the version of JQuery installed.  How do I go about updating the version of JQuery Jenkins runs?  Here's the specifics of the vulnerability:

Plugin Output: 
  URL               : http://myMachine:8081/js/jquery-1.11.1.min.js
  Installed version : 1.11.1
  Fixed version     : 3.5.0

I'm running version 2.235.5 of Jenkins.

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/13c921b1-02f4-4f00-a474-266fe766ced0n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/33DD337C-B069-4D01-BC86-7EF5CD46BBEA%40dns-direct.com.
Reply | Threaded
Open this post in threaded view
|

RE: Vulnerability in JQuery on Jenkins

Jérôme Godbout

So it mean the LTS 2.235.5 is not cover by those security fix? jquery 1.11 is old, like 2014 and security patch stopped in 2015.

 

From: [hidden email] <[hidden email]> On Behalf Of vince bailey
Sent: August 26, 2020 10:45 AM
To: 'Björn Pedersen' via Jenkins Users <[hidden email]>
Subject: Re: Vulnerability in JQuery on Jenkins

 

Hi All,

 

You need to go to min 2.241 or 2.251 there are security issues on older version.

 

docker containers

jenkins/jenkins:2.241

jenkins/jenkins:2.51

 

or go to this website

 

 

 

-- 
Regards,

Vince Bailey

Live long and prosper !!!








On 26 Aug 2020, at 15:38, eric....@gmail.com <[hidden email]> wrote:

 

Hi All,

 

Just got gigged by our security team for a vulnerability in Jenkins with the version of JQuery installed.  How do I go about updating the version of JQuery Jenkins runs?  Here's the specifics of the vulnerability:

Plugin Output: 

  URL               : http://myMachine:8081/js/jquery-1.11.1.min.js

  Installed version : 1.11.1

  Fixed version     : 3.5.0

 

I'm running version 2.235.5 of Jenkins.

 

Thanks,

Eric

 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/13c921b1-02f4-4f00-a474-266fe766ced0n%40googlegroups.com.

 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/33DD337C-B069-4D01-BC86-7EF5CD46BBEA%40dns-direct.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/YTOPR0101MB2315311913EB71AE7810DE58CD540%40YTOPR0101MB2315.CANPRD01.PROD.OUTLOOK.COM.
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability in JQuery on Jenkins

vince bailey
Hi All,

It’s is because of the plugins mainly, LTS versions are more stable and are supported for a long time but they are not update to fix security holes and your jenkins server will often ask you to update your war file. Or what ever process you use to update Jenkins.

PS if your jenkins sits on an OS like windows/linux/mac you must update they're security patches often.

I am running a docker container version 2.251 and it’s great new look new features and connectively to thinks like atlanian products work much better.

-- 
Regards,

Vince Bailey

Live long and prosper !!!





The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.  If you receive
this in error, please contact the sender Vince Bailey email address
[hidden email] and delete the material from any computer.


On 26 Aug 2020, at 15:51, Jérôme Godbout <[hidden email]> wrote:

So it mean the LTS 2.235.5 is not cover by those security fix? jquery 1.11 is old, like 2014 and security patch stopped in 2015.
 
From: [hidden email] <[hidden email]> On Behalf Of vince bailey
Sent: August 26, 2020 10:45 AM
To: 'Björn Pedersen' via Jenkins Users <[hidden email]>
Subject: Re: Vulnerability in JQuery on Jenkins
 
Hi All,
 
You need to go to min 2.241 or 2.251 there are security issues on older version.
 
docker containers
jenkins/jenkins:2.241
jenkins/jenkins:2.51
 
or go to this website
 
 
 
-- 
Regards,

Vince Bailey

Live long and prosper !!!


<image001.png>





On 26 Aug 2020, at 15:38, eric....@gmail.com <[hidden email]> wrote:
 
Hi All,
 

Just got gigged by our security team for a vulnerability in Jenkins with the version of JQuery installed.  How do I go about updating the version of JQuery Jenkins runs?  Here's the specifics of the vulnerability:

Plugin Output: 
  URL               : http://myMachine:8081/js/jquery-1.11.1.min.js
  Installed version : 1.11.1
  Fixed version     : 3.5.0
 
I'm running version 2.235.5 of Jenkins.
 
Thanks,
Eric
 
-- 
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to[hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/13c921b1-02f4-4f00-a474-266fe766ced0n%40googlegroups.com.
 
-- 
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/33DD337C-B069-4D01-BC86-7EF5CD46BBEA%40dns-direct.com.

-- 
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/YTOPR0101MB2315311913EB71AE7810DE58CD540%40YTOPR0101MB2315.CANPRD01.PROD.OUTLOOK.COM.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/DE9019DF-AC18-4178-9CF3-48FA9ADACD2B%40dns-direct.com.
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability in JQuery on Jenkins

Ulli Hafner
In reply to this post by Eric Fetzer
You cannot update this specific version. There are still some plugins (and maybe some old core scripts as well) that use jQuery 1, so we cannot remove that dependency. If a new plugin wants to use jQuery then there is an additional plugin available: https://github.com/jenkinsci/jquery3-api-plugin

Am 26.08.2020 um 16:38 schrieb eric....@gmail.com <[hidden email]>:

Hi All,

Just got gigged by our security team for a vulnerability in Jenkins with the version of JQuery installed.  How do I go about updating the version of JQuery Jenkins runs?  Here's the specifics of the vulnerability:

Plugin Output: 
  URL               : http://myMachine:8081/js/jquery-1.11.1.min.js
  Installed version : 1.11.1
  Fixed version     : 3.5.0

I'm running version 2.235.5 of Jenkins.

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/13c921b1-02f4-4f00-a474-266fe766ced0n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/C41FF017-77FB-4726-93B4-264011284A0E%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability in JQuery on Jenkins

vince bailey
Yeah,

Plugins can be a pain in the neck.

You could build a jenkins server as a test server as a test rig which is what I do as a docker container with all your current software and test the new plugins.

That will at least ensure that after your testing you will know if your pipeline still work.



-- 
Regards,

Vince Bailey

Live long and prosper !!!







On 26 Aug 2020, at 16:10, Ullrich Hafner <[hidden email]> wrote:

You cannot update this specific version. There are still some plugins (and maybe some old core scripts as well) that use jQuery 1, so we cannot remove that dependency. If a new plugin wants to use jQuery then there is an additional plugin available: https://github.com/jenkinsci/jquery3-api-plugin

Am 26.08.2020 um 16:38 schrieb eric....@gmail.com <[hidden email]>:

Hi All,

Just got gigged by our security team for a vulnerability in Jenkins with the version of JQuery installed.  How do I go about updating the version of JQuery Jenkins runs?  Here's the specifics of the vulnerability:

Plugin Output: 
  URL               : http://myMachine:8081/js/jquery-1.11.1.min.js
  Installed version : 1.11.1
  Fixed version     : 3.5.0

I'm running version 2.235.5 of Jenkins.

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/13c921b1-02f4-4f00-a474-266fe766ced0n%40googlegroups.com.


--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/C41FF017-77FB-4726-93B4-264011284A0E%40gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2254C83D-ECC6-4B4C-BACB-E81AF97F98F8%40dns-direct.com.