Branch: refs/heads/rc
Home: https://github.com/jenkinsci/jenkins
Commit: 7338713975c1791e09be9b9670470cf1052577f0
https://github.com/jenkinsci/jenkins/commit/7338713975c1791e09be9b9670470cf1052577f0
Author: Kohsuke Kawaguchi <k...@kohsuke.org>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M core/src/main/java/hudson/slaves/SlaveComputer.java
M core/src/main/java/jenkins/model/Jenkins.java
M core/src/main/resources/hudson/slaves/JNLPLauncher/main.jelly
M core/src/main/resources/hudson/slaves/SlaveComputer/slave-agent.jnlp.jelly
M pom.xml
M test/src/test/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java
Log Message:
-----------
[SECURITY-54]
Jesse's original patch
(cherry picked from commit 01a24e2cb1e885895c35fdf409c4305dcd877cd8)
Commit: ad08359f53fbb589d7830031317d0d184c6dd330
https://github.com/jenkinsci/jenkins/commit/ad08359f53fbb589d7830031317d0d184c6dd330
Author: Kohsuke Kawaguchi <k...@kohsuke.org>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M core/src/main/java/hudson/slaves/SlaveComputer.java
M core/src/main/resources/hudson/slaves/SlaveComputer/slave-agent.jnlp.jelly
M war/pom.xml
Log Message:
-----------
[SECURITY-54] Massaging the original fix.
- Use the proper block cipher mode.
Or else the information about the plain text still ends up revealing as a
pattern without the attacker knowing the key.
- No need to hide SLAVE_SECRET from the encrypted payload.
jnlpMac is needed to decrypt this payload to begin with, so there's no point
in hiding it. This simplifies the code a little bit.
- Using a newer slave installer that uses the -secret option
(cherry picked from commit f4496df19e36465ae8d7cfebc6cde75f2888585b)
Commit: 0271fdb8a21ea6747a8b9a381274b45e13ca944b
https://github.com/jenkinsci/jenkins/commit/0271fdb8a21ea6747a8b9a381274b45e13ca944b
Author: Jesse Glick <jgl...@cloudbees.com>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M core/src/main/java/hudson/model/AbstractProject.java
M core/src/main/java/hudson/model/BuildAuthorizationToken.java
M core/src/main/java/hudson/model/ParametersDefinitionProperty.java
M core/src/main/java/jenkins/security/ApiTokenFilter.java
A core/src/main/resources/hudson/model/AbstractProject/requirePOST.jelly
A
core/src/main/resources/hudson/model/AbstractProject/requirePOST.properties
M core/src/main/resources/hudson/views/BuildButtonColumn/column.jelly
M war/src/main/webapp/scripts/hudson-behavior.js
Log Message:
-----------
[SECURITY-13]
(cherry picked from commit 1fb2acfd7b7d2a492dc2f8a60c69b5e8236dcb52)
Conflicts:
core/src/main/java/hudson/model/AbstractProject.java
core/src/main/java/hudson/model/ParametersDefinitionProperty.java
Commit: 61921fbb71976434a70ab72f1856f3da45f7eecf
https://github.com/jenkinsci/jenkins/commit/61921fbb71976434a70ab72f1856f3da45f7eecf
Author: Jesse Glick <jgl...@cloudbees.com>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M core/src/main/java/hudson/model/AbstractBuild.java
M core/src/main/java/hudson/model/AbstractProject.java
M core/src/main/java/hudson/model/Executor.java
M core/src/main/java/hudson/model/Queue.java
M core/src/main/resources/hudson/widgets/BuildHistoryWidget/entries.jelly
M core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly
M core/src/main/resources/lib/hudson/buildCaption.jelly
M core/src/main/resources/lib/hudson/executors.jelly
M core/src/main/resources/lib/hudson/queue.jelly
A core/src/main/resources/lib/layout/stopButton.jelly
Log Message:
-----------
[SECURITY-16]
Require POST for various operations.
(cherry picked from commit 36c8624379df32092d5d3163a853e040905302ea)
Conflicts:
core/src/main/java/hudson/model/AbstractBuild.java
Commit: 4c52ddfe14cd75b66f03eda9e0b2004e9d5735d7
https://github.com/jenkinsci/jenkins/commit/4c52ddfe14cd75b66f03eda9e0b2004e9d5735d7
Author: Kohsuke Kawaguchi <k...@kohsuke.org>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M war/src/main/webapp/scripts/hudson-behavior.js
Log Message:
-----------
[FIXED SECURITY-46]
(cherry picked from commit f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e)
Commit: 0de3e9b14ed75f70279435e78eb9f6a3a1a179df
https://github.com/jenkinsci/jenkins/commit/0de3e9b14ed75f70279435e78eb9f6a3a1a179df
Author: Jesse Glick <jgl...@cloudbees.com>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M core/src/main/java/hudson/model/Api.java
M core/src/main/java/hudson/security/csrf/CrumbIssuer.java
M test/src/main/java/org/jvnet/hudson/test/HudsonTestCase.java
M test/src/test/java/hudson/model/ApiTest.java
M test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
Log Message:
-----------
[SECURITY-47]
- My second patch, with whitelisted XPath values and forbidden JSONP.
- Disabling JSONP altogether for REST API (unless explicitly allowed).
- Forbid primitive XPath result sets by default.
- Refuse to serve _crumb=123456 as this could (very hypothetically) be
exploited.
(cherry picked from commit f4af9b1ab442ca912107d400caf4bb96635d64a5)
Conflicts:
core/src/main/java/hudson/model/Api.java
Commit: 36342d71e29e0620f803a7470ce96c61761648d8
https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8
Author: Jesse Glick <jgl...@cloudbees.com>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M core/src/main/java/hudson/model/AbstractProject.java
M core/src/main/java/hudson/model/Descriptor.java
M core/src/main/java/hudson/tasks/BuildTrigger.java
M core/src/main/resources/hudson/tasks/Messages.properties
M
core/src/main/resources/lib/hudson/project/config-upstream-pseudo-trigger.jelly
Log Message:
-----------
[SECURITY-55]
This patch makes standard post-build action refuse to let you configure a
downstream project you cannot currently build.
The one from parameterized-trigger will show an error in the configure screen
but still lets you save the configuration; needs an analogous patch to that
plugin.
Does not yet protect against POSTing config.xml with the trigger.
(cherry picked from commit 757bc8a53956e6fbab267214e6e0896f03c3c262)
Conflicts:
core/src/main/java/hudson/model/Descriptor.java
Commit: afaa76c499accd2cbd001141e697854641a9b53c
https://github.com/jenkinsci/jenkins/commit/afaa76c499accd2cbd001141e697854641a9b53c
Author: Jesse Glick <jgl...@cloudbees.com>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M
core/src/main/resources/hudson/matrix/MatrixProject/configure-entries.jelly
M core/src/main/resources/hudson/model/AbstractItem/configure-common.jelly
Log Message:
-----------
Use jsStringEscape where necessary.
(cherry picked from commit 6d99c02b124ea3a1d76bd5762e8cab29018fd7cd)
Commit: e52c7efa997534e31526d1ba0ae80ea560619fc9
https://github.com/jenkinsci/jenkins/commit/e52c7efa997534e31526d1ba0ae80ea560619fc9
Author: Jesse Glick <jgl...@cloudbees.com>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M core/pom.xml
Log Message:
-----------
[SECURITY-60] Upgrade Spring.
(cherry picked from commit b44df8b16a986a0f51e9b0415bde039d05f9e332)
Conflicts:
core/pom.xml
Commit: d4b3178c81e4b6b41059734ef25854b9ff2e9a06
https://github.com/jenkinsci/jenkins/commit/d4b3178c81e4b6b41059734ef25854b9ff2e9a06
Author: Jesse Glick <jgl...@cloudbees.com>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M licenseCompleter.groovy
M maven-plugin/pom.xml
Log Message:
-----------
Exclude NekoHTML and its concomitant obsolete Xerces.
(cherry picked from commit 20d628fa64751b0e7f71fac4acd35b5f42cbcbfd)
Commit: 6801cefc2bbb2ff827178affc6f9274efa4baf7a
https://github.com/jenkinsci/jenkins/commit/6801cefc2bbb2ff827178affc6f9274efa4baf7a
Author: Kohsuke Kawaguchi <k...@kohsuke.org>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M war/pom.xml
Log Message:
-----------
[FIXED JENKINS-16474]
Fixed the HTTP request thread saturation problem with Winstone.
(cherry picked from commit 4b1a95f23f19c57d8cf48ea0b1b30aaee541db27)
Conflicts:
changelog.html
Commit: 4a830ed60fe8db8ccb793b8ed03d5ff5a5cbf3e2
https://github.com/jenkinsci/jenkins/commit/4a830ed60fe8db8ccb793b8ed03d5ff5a5cbf3e2
Author: Kohsuke Kawaguchi <k...@kohsuke.org>
Date: 2013-02-13 (Wed, 13 Feb 2013)
Changed paths:
M changelog.html
Log Message:
-----------
recording the change
Commit: 8d5aaf077627a49fab794fe02b922376507e6ff2
https://github.com/jenkinsci/jenkins/commit/8d5aaf077627a49fab794fe02b922376507e6ff2
Author: Kohsuke Kawaguchi <k...@kohsuke.org>
Date: 2013-02-16 (Sat, 16 Feb 2013)
Changed paths:
M cli/pom.xml
M core/pom.xml
M maven-plugin/pom.xml
M plugins/pom.xml
M pom.xml
M test/pom.xml
M ui-samples-plugin/pom.xml
M war/pom.xml
Log Message:
-----------
[maven-release-plugin] prepare release jenkins-1.502
Commit: 70d3dcff0c22a9a3030fdd8f34bfcc2bf584444b
https://github.com/jenkinsci/jenkins/commit/70d3dcff0c22a9a3030fdd8f34bfcc2bf584444b
Author: Kohsuke Kawaguchi <k...@kohsuke.org>
Date: 2013-02-16 (Sat, 16 Feb 2013)
Changed paths:
M cli/pom.xml
M core/pom.xml
M maven-plugin/pom.xml
M plugins/pom.xml
M pom.xml
M test/pom.xml
M ui-samples-plugin/pom.xml
M war/pom.xml
Log Message:
-----------
[maven-release-plugin] prepare for next development iteration
Commit: 17d152817f6cce6a230147d3be8c49de232dc153
https://github.com/jenkinsci/jenkins/commit/17d152817f6cce6a230147d3be8c49de232dc153
Author: Kohsuke Kawaguchi <k...@kohsuke.org>
Date: 2013-02-16 (Sat, 16 Feb 2013)
Changed paths:
M debian/debian/changelog
Log Message:
-----------
updated changelog as a part of the release
Compare:
https://github.com/jenkinsci/jenkins/compare/5bca85d99253...17d152817f6c
--
You received this message because you are subscribed to the Google Groups
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-commits+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
