accounts.jenkins.io can't login or use password reset

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

accounts.jenkins.io can't login or use password reset

Johan Cornelissen
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/3177e2de-e005-400b-8582-e12107773d62%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Oleg Nenashev
Hi Johan,

This is related to the yesterday's INFRA outage: https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE . " Ldap database backup stopped in February 2020 which means that we lost three months of ldap changes.". We restored the latest available backup, so recent changes are lost. We are looking into possible options to fully or partially restore the changes, but no good news right now. 

If you provide your account ID, I will try to reset it manually. If you have registered less than 3 months ago, then you may need to re-register

Best regards,
Oleg

On Wednesday, June 3, 2020 at 5:30:10 PM UTC+2, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b4583bd2-dfba-4cc7-b372-ce4866a98d26%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Johan Cornelissen
Thanks for the information Oleg. I was worried that it might be related to the outage.

My username is johanc if you are able to reset it manually.

Cheers,
Johan

On Wednesday, 3 June 2020 12:56:59 UTC-4, Oleg Nenashev wrote:
Hi Johan,

This is related to the yesterday's INFRA outage: <a href="https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE&#39;;return true;">https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE . " Ldap database backup stopped in February 2020 which means that we lost three months of ldap changes.". We restored the latest available backup, so recent changes are lost. We are looking into possible options to fully or partially restore the changes, but no good news right now. 

If you provide your account ID, I will try to reset it manually. If you have registered less than 3 months ago, then you may need to re-register

Best regards,
Oleg

On Wednesday, June 3, 2020 at 5:30:10 PM UTC+2, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/2152786b-da19-4171-88a3-7d48060e2cfb%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Michał Malicki
In reply to this post by Oleg Nenashev
Hi Oleg,
I have similiar situation, can't log in into account with id "deviniti". I'd appreciate if you could try to reset that one as well.
If that account is not in current db, can we re-register providing the same id?
Regards,
Michał

On Wednesday, June 3, 2020 at 6:56:59 PM UTC+2, Oleg Nenashev wrote:
Hi Johan,

This is related to the yesterday's INFRA outage: <a href="https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE&#39;;return true;">https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE . " Ldap database backup stopped in February 2020 which means that we lost three months of ldap changes.". We restored the latest available backup, so recent changes are lost. We are looking into possible options to fully or partially restore the changes, but no good news right now. 

If you provide your account ID, I will try to reset it manually. If you have registered less than 3 months ago, then you may need to re-register

Best regards,
Oleg

On Wednesday, June 3, 2020 at 5:30:10 PM UTC+2, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/91df7050-6b00-41c2-8354-520370d16caf%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Olblak-2
If that account is not in current db, can we re-register providing the same id?
Yes you can, in your case I see that there is already account in the database

On Thu, Jun 4, 2020, at 10:19 AM, Michał Malicki wrote:
Hi Oleg,
I have similiar situation, can't log in into account with id "deviniti". I'd appreciate if you could try to reset that one as well.
If that account is not in current db, can we re-register providing the same id?
Regards,
Michał

On Wednesday, June 3, 2020 at 6:56:59 PM UTC+2, Oleg Nenashev wrote:
Hi Johan,

This is related to the yesterday's INFRA outage: https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE . " Ldap database backup stopped in February 2020 which means that we lost three months of ldap changes.". We restored the latest available backup, so recent changes are lost. We are looking into possible options to fully or partially restore the changes, but no good news right now. 

If you provide your account ID, I will try to reset it manually. If you have registered less than 3 months ago, then you may need to re-register

Best regards,
Oleg

On Wednesday, June 3, 2020 at 5:30:10 PM UTC+2, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4615f0c4-83b7-435e-b0b5-e4ed070eeb42%40www.fastmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Mez Pahlan
In reply to this post by Johan Cornelissen
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Oleg Nenashev
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[hidden email]> wrote:
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLChCHbhQbSxDCrGBNNHO5J%3DPKgfn_xH0gCZ4_dL1ZQJTw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Dmitry Sotnikov
Do you guys plan to reach out to all the extension owners?

We just accidentally found out about the issue: couldn't log in or reset password, and then found this thread. When we created a new account (42Crunch) for our company it just automatically assumed all access and extension ownership for the plugin that we had published a few weeks ago.

This can be dangerous because someone might take over existing accounts of other vendors and then push malware updates to customers.

Dmitry

On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote:
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="gFHEvyRIAgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">mez....@...> wrote:
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="gFHEvyRIAgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/3c089ba0-9afb-44cc-b73b-8a3302c1fc7fo%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Oleg Nenashev
Hi all,

An official update w.r.t this topic is coming soon. I confirm the assessment by Dmitry, it is a potential security risk which was reported on multiple occasions. SECURITY-1895 is a report for this incident, and it is currently being investigated by the security team.

Just to provide some updates:
  • As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" location are prohibited. Plugin maintainers will get HTTP 409 when they try to upload releases. Incremental releases and snapshot deployment are not affected b this change
  • We are reviewing all audit logs to confirm whether the potential issue with uploads was exploited. According to the preliminary analysis, the answer is "no"
Today at 3:30PM UTC we will also have a Jenkins Infrastructure team meeting where this issue will be discussed in more details. <a href="&lt;a target=&quot;_blank&quot; href=&quot;https://calendar.google.com/event?action=TEMPLATE&amp;amp;tmeid=dTJsaWoxN2xjZHFkajRsbmJlcWFiaXI5b2JfMjAyMDA2MDlUMTUzMDAwWiA0c3MxMmYwbXFyM3RicDF0MmZlMzY5c2xmNEBn&amp;amp;tmsrc=4ss12f0mqr3tbp1t2fe369slf4%40group.calendar.google.com&quot;&gt;&lt;img border=&quot;0&quot; src=&quot;https://www.google.com/calendar/images/ext/gc_button1_en-GB.gif&quot;&gt;&lt;/a&gt;">Calendar link

Best regards,
Oleg Nenashev
Jenkins Security Team



On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote:
Do you guys plan to reach out to all the extension owners?

We just accidentally found out about the issue: couldn't log in or reset password, and then found this thread. When we created a new account (42Crunch) for our company it just automatically assumed all access and extension ownership for the plugin that we had published a few weeks ago.

This can be dangerous because someone might take over existing accounts of other vendors and then push malware updates to customers.

Dmitry

On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote:
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[hidden email]> wrote:
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5e52b5fe-a5a3-455b-a942-1e29cc678391o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Oleg Nenashev
We are also experiencing issues with artifact downloads, likely a collateral damage after the change

On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote:
Hi all,

An official update w.r.t this topic is coming soon. I confirm the assessment by Dmitry, it is a potential security risk which was reported on multiple occasions. SECURITY-1895 is a report for this incident, and it is currently being investigated by the security team.

Just to provide some updates:
  • As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" location are prohibited. Plugin maintainers will get HTTP 409 when they try to upload releases. Incremental releases and snapshot deployment are not affected b this change
  • We are reviewing all audit logs to confirm whether the potential issue with uploads was exploited. According to the preliminary analysis, the answer is "no"
Today at 3:30PM UTC we will also have a Jenkins Infrastructure team meeting where this issue will be discussed in more details. Calendar link

Best regards,
Oleg Nenashev
Jenkins Security Team



On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote:
Do you guys plan to reach out to all the extension owners?

We just accidentally found out about the issue: couldn't log in or reset password, and then found this thread. When we created a new account (42Crunch) for our company it just automatically assumed all access and extension ownership for the plugin that we had published a few weeks ago.

This can be dangerous because someone might take over existing accounts of other vendors and then push malware updates to customers.

Dmitry

On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote:
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[hidden email]> wrote:
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/d947f804-5bb0-40d4-92b4-cca58572ec48o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Oleg Nenashev
Downloads are restored. Another workaround has been applied by Daniel in https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , so no user downloads are no longer broken.
Thanks a lot to Daniel Beck for the quick fix!

Uploads are still blocked for everyone except a few users with Artifactory-wide permissions. We will be reviewing our options and communicating the next steps soon

Best regards,
Oleg

On Tuesday, June 9, 2020 at 2:29:39 PM UTC+2, Oleg Nenashev wrote:
We are also experiencing issues with artifact downloads, likely a collateral damage after the change

On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote:
Hi all,

An official update w.r.t this topic is coming soon. I confirm the assessment by Dmitry, it is a potential security risk which was reported on multiple occasions. SECURITY-1895 is a report for this incident, and it is currently being investigated by the security team.

Just to provide some updates:
  • As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" location are prohibited. Plugin maintainers will get HTTP 409 when they try to upload releases. Incremental releases and snapshot deployment are not affected b this change
  • We are reviewing all audit logs to confirm whether the potential issue with uploads was exploited. According to the preliminary analysis, the answer is "no"
Today at 3:30PM UTC we will also have a Jenkins Infrastructure team meeting where this issue will be discussed in more details. Calendar link

Best regards,
Oleg Nenashev
Jenkins Security Team



On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote:
Do you guys plan to reach out to all the extension owners?

We just accidentally found out about the issue: couldn't log in or reset password, and then found this thread. When we created a new account (42Crunch) for our company it just automatically assumed all access and extension ownership for the plugin that we had published a few weeks ago.

This can be dangerous because someone might take over existing accounts of other vendors and then push malware updates to customers.

Dmitry

On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote:
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[hidden email]> wrote:
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7278ce98-74d4-4ee3-8f52-c892c94fec8bo%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Roni Segal
Hi any updates on the uploads? we still cannot upload our plugin

On Tuesday, 9 June 2020 15:58:33 UTC+3, Oleg Nenashev wrote:
Downloads are restored. Another workaround has been applied by Daniel in <a href="https://github.com/jenkins-infra/repository-permissions-updater/pull/1569" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-infra%2Frepository-permissions-updater%2Fpull%2F1569\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHnXqHe8DbBsyaWsN32PYLgiFuxww&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-infra%2Frepository-permissions-updater%2Fpull%2F1569\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHnXqHe8DbBsyaWsN32PYLgiFuxww&#39;;return true;">https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , so no user downloads are no longer broken.
Thanks a lot to Daniel Beck for the quick fix!

Uploads are still blocked for everyone except a few users with Artifactory-wide permissions. We will be reviewing our options and communicating the next steps soon

Best regards,
Oleg

On Tuesday, June 9, 2020 at 2:29:39 PM UTC+2, Oleg Nenashev wrote:
We are also experiencing issues with artifact downloads, likely a collateral damage after the change

On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote:
Hi all,

An official update w.r.t this topic is coming soon. I confirm the assessment by Dmitry, it is a potential security risk which was reported on multiple occasions. SECURITY-1895 is a report for this incident, and it is currently being investigated by the security team.

Just to provide some updates:
  • As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" location are prohibited. Plugin maintainers will get HTTP 409 when they try to upload releases. Incremental releases and snapshot deployment are not affected b this change
  • We are reviewing all audit logs to confirm whether the potential issue with uploads was exploited. According to the preliminary analysis, the answer is "no"
Today at 3:30PM UTC we will also have a Jenkins Infrastructure team meeting where this issue will be discussed in more details. Calendar link

Best regards,
Oleg Nenashev
Jenkins Security Team



On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote:
Do you guys plan to reach out to all the extension owners?

We just accidentally found out about the issue: couldn't log in or reset password, and then found this thread. When we created a new account (42Crunch) for our company it just automatically assumed all access and extension ownership for the plugin that we had published a few weeks ago.

This can be dangerous because someone might take over existing accounts of other vendors and then push malware updates to customers.

Dmitry

On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote:
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[hidden email]> wrote:
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Oleg Nenashev
Please see https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk for the status updates. Yes, downloads are still blocked

On Sun, Jun 14, 2020, 14:40 Roni Segal <[hidden email]> wrote:
Hi any updates on the uploads? we still cannot upload our plugin

On Tuesday, 9 June 2020 15:58:33 UTC+3, Oleg Nenashev wrote:
Downloads are restored. Another workaround has been applied by Daniel in https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , so no user downloads are no longer broken.
Thanks a lot to Daniel Beck for the quick fix!

Uploads are still blocked for everyone except a few users with Artifactory-wide permissions. We will be reviewing our options and communicating the next steps soon

Best regards,
Oleg

On Tuesday, June 9, 2020 at 2:29:39 PM UTC+2, Oleg Nenashev wrote:
We are also experiencing issues with artifact downloads, likely a collateral damage after the change

On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote:
Hi all,

An official update w.r.t this topic is coming soon. I confirm the assessment by Dmitry, it is a potential security risk which was reported on multiple occasions. SECURITY-1895 is a report for this incident, and it is currently being investigated by the security team.

Just to provide some updates:
  • As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" location are prohibited. Plugin maintainers will get HTTP 409 when they try to upload releases. Incremental releases and snapshot deployment are not affected b this change
  • We are reviewing all audit logs to confirm whether the potential issue with uploads was exploited. According to the preliminary analysis, the answer is "no"
Today at 3:30PM UTC we will also have a Jenkins Infrastructure team meeting where this issue will be discussed in more details. Calendar link

Best regards,
Oleg Nenashev
Jenkins Security Team



On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote:
Do you guys plan to reach out to all the extension owners?

We just accidentally found out about the issue: couldn't log in or reset password, and then found this thread. When we created a new account (42Crunch) for our company it just automatically assumed all access and extension ownership for the plugin that we had published a few weeks ago.

This can be dangerous because someone might take over existing accounts of other vendors and then push malware updates to customers.

Dmitry

On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote:
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[hidden email]> wrote:
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLAAdhYLm11AC2PZU-a1PMTJ0o6V4iirNypxn1x3RA_5eA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Oleg Nenashev
Uploads should be reenabled now: https://groups.google.com/d/msg/jenkinsci-dev/3UvrCTflXGk/gWT_tH7VAgAJ 

On Sunday, June 14, 2020 at 2:48:20 PM UTC+2, Oleg Nenashev wrote:
Please see <a href="https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk&#39;;return true;">https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk for the status updates. Yes, downloads are still blocked

On Sun, Jun 14, 2020, 14:40 Roni Segal <[hidden email]> wrote:
Hi any updates on the uploads? we still cannot upload our plugin

On Tuesday, 9 June 2020 15:58:33 UTC+3, Oleg Nenashev wrote:
Downloads are restored. Another workaround has been applied by Daniel in <a href="https://github.com/jenkins-infra/repository-permissions-updater/pull/1569" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-infra%2Frepository-permissions-updater%2Fpull%2F1569\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHnXqHe8DbBsyaWsN32PYLgiFuxww&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-infra%2Frepository-permissions-updater%2Fpull%2F1569\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHnXqHe8DbBsyaWsN32PYLgiFuxww&#39;;return true;">https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , so no user downloads are no longer broken.
Thanks a lot to Daniel Beck for the quick fix!

Uploads are still blocked for everyone except a few users with Artifactory-wide permissions. We will be reviewing our options and communicating the next steps soon

Best regards,
Oleg

On Tuesday, June 9, 2020 at 2:29:39 PM UTC+2, Oleg Nenashev wrote:
We are also experiencing issues with artifact downloads, likely a collateral damage after the change

On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote:
Hi all,

An official update w.r.t this topic is coming soon. I confirm the assessment by Dmitry, it is a potential security risk which was reported on multiple occasions. SECURITY-1895 is a report for this incident, and it is currently being investigated by the security team.

Just to provide some updates:
  • As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" location are prohibited. Plugin maintainers will get HTTP 409 when they try to upload releases. Incremental releases and snapshot deployment are not affected b this change
  • We are reviewing all audit logs to confirm whether the potential issue with uploads was exploited. According to the preliminary analysis, the answer is "no"
Today at 3:30PM UTC we will also have a Jenkins Infrastructure team meeting where this issue will be discussed in more details. Calendar link

Best regards,
Oleg Nenashev
Jenkins Security Team



On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote:
Do you guys plan to reach out to all the extension owners?

We just accidentally found out about the issue: couldn't log in or reset password, and then found this thread. When we created a new account (42Crunch) for our company it just automatically assumed all access and extension ownership for the plugin that we had published a few weeks ago.

This can be dangerous because someone might take over existing accounts of other vendors and then push malware updates to customers.

Dmitry

On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote:
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[hidden email]> wrote:
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/ade980c3-7f73-4771-a14d-90bc25371eb7o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Matt Murphy
Hi Oleg,

I've hit the same problem as others on this thread (my password no longer works and a reset doesn't send the email).  Can you reset my account pw too?  User id is mattmurp

Thanks,

On Monday, June 15, 2020 at 10:13:25 AM UTC-4, Oleg Nenashev wrote:
Uploads should be reenabled now: <a href="https://groups.google.com/d/msg/jenkinsci-dev/3UvrCTflXGk/gWT_tH7VAgAJ" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msg/jenkinsci-dev/3UvrCTflXGk/gWT_tH7VAgAJ&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msg/jenkinsci-dev/3UvrCTflXGk/gWT_tH7VAgAJ&#39;;return true;">https://groups.google.com/d/msg/jenkinsci-dev/3UvrCTflXGk/gWT_tH7VAgAJ 

On Sunday, June 14, 2020 at 2:48:20 PM UTC+2, Oleg Nenashev wrote:
Please see <a href="https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk&#39;;return true;">https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk for the status updates. Yes, downloads are still blocked

On Sun, Jun 14, 2020, 14:40 Roni Segal <<a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="Y7Nqyk2VAwAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">rse...@...> wrote:
Hi any updates on the uploads? we still cannot upload our plugin

On Tuesday, 9 June 2020 15:58:33 UTC+3, Oleg Nenashev wrote:
Downloads are restored. Another workaround has been applied by Daniel in <a href="https://github.com/jenkins-infra/repository-permissions-updater/pull/1569" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-infra%2Frepository-permissions-updater%2Fpull%2F1569\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHnXqHe8DbBsyaWsN32PYLgiFuxww&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-infra%2Frepository-permissions-updater%2Fpull%2F1569\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHnXqHe8DbBsyaWsN32PYLgiFuxww&#39;;return true;">https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , so no user downloads are no longer broken.
Thanks a lot to Daniel Beck for the quick fix!

Uploads are still blocked for everyone except a few users with Artifactory-wide permissions. We will be reviewing our options and communicating the next steps soon

Best regards,
Oleg

On Tuesday, June 9, 2020 at 2:29:39 PM UTC+2, Oleg Nenashev wrote:
We are also experiencing issues with artifact downloads, likely a collateral damage after the change

On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote:
Hi all,

An official update w.r.t this topic is coming soon. I confirm the assessment by Dmitry, it is a potential security risk which was reported on multiple occasions. SECURITY-1895 is a report for this incident, and it is currently being investigated by the security team.

Just to provide some updates:
  • As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" location are prohibited. Plugin maintainers will get HTTP 409 when they try to upload releases. Incremental releases and snapshot deployment are not affected b this change
  • We are reviewing all audit logs to confirm whether the potential issue with uploads was exploited. According to the preliminary analysis, the answer is "no"
Today at 3:30PM UTC we will also have a Jenkins Infrastructure team meeting where this issue will be discussed in more details. Calendar link

Best regards,
Oleg Nenashev
Jenkins Security Team



On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote:
Do you guys plan to reach out to all the extension owners?

We just accidentally found out about the issue: couldn't log in or reset password, and then found this thread. When we created a new account (42Crunch) for our company it just automatically assumed all access and extension ownership for the plugin that we had published a few weeks ago.

This can be dangerous because someone might take over existing accounts of other vendors and then push malware updates to customers.

Dmitry

On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote:
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[hidden email]> wrote:
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="Y7Nqyk2VAwAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7a9bffc1-ec54-4fdd-9068-86f8a14abda3o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Aaron Whiteside
In reply to this post by Oleg Nenashev
Hi Oleg,

I've had the same issue, not able to login or reset my password. My account ID is aaronjwhiteside.


Thanks in advance!

Regards,
Aaron

On Thursday, June 4, 2020 at 2:56:59 AM UTC+10, Oleg Nenashev wrote:
Hi Johan,

This is related to the yesterday's INFRA outage: <a href="https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE&#39;;return true;">https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE . " Ldap database backup stopped in February 2020 which means that we lost three months of ldap changes.". We restored the latest available backup, so recent changes are lost. We are looking into possible options to fully or partially restore the changes, but no good news right now. 

If you provide your account ID, I will try to reset it manually. If you have registered less than 3 months ago, then you may need to re-register

Best regards,
Oleg

On Wednesday, June 3, 2020 at 5:30:10 PM UTC+2, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/265d34e6-604e-4c0d-b2a0-dda8c79ac07fo%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: accounts.jenkins.io can't login or use password reset

Oleg Nenashev
Hi all,

Please bring up these issues in the Jenkins Infrastructure mailing list: https://groups.google.com/forum/#!forum/jenkins-infra

The user accounts password reset was not finished as communicated here: https://groups.google.com/d/msg/jenkinsci-dev/3UvrCTflXGk/ll-opqUhBgAJ. In the current state I am afraid of touching the user database, and I would prefer that other Jenkins Infra team members with more subject matter knowledge handle account requests. Right now I have no bandwidth to perform history review and manual fix for users.

Thanks for understanding,
Oleg

On Saturday, July 4, 2020 at 2:17:15 PM UTC+2, Aaron Whiteside wrote:
Hi Oleg,

I've had the same issue, not able to login or reset my password. My account ID is aaronjwhiteside.


Thanks in advance!

Regards,
Aaron

On Thursday, June 4, 2020 at 2:56:59 AM UTC+10, Oleg Nenashev wrote:
Hi Johan,

This is related to the yesterday's INFRA outage: <a href="https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE&#39;;return true;">https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE . " Ldap database backup stopped in February 2020 which means that we lost three months of ldap changes.". We restored the latest available backup, so recent changes are lost. We are looking into possible options to fully or partially restore the changes, but no good news right now. 

If you provide your account ID, I will try to reset it manually. If you have registered less than 3 months ago, then you may need to re-register

Best regards,
Oleg

On Wednesday, June 3, 2020 at 5:30:10 PM UTC+2, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on <a href="https://accounts.jenkins.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Faccounts.jenkins.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHMOIeyAlUI1QgrMeNtiYss7xxWuA&#39;;return true;">https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/0aa705b1-dcc4-4804-ba74-4d9a01660e9co%40googlegroups.com.