[jenkinsci/codescene-plugin] 291d6d: Update junit to 4.13.1 to fix temporary folder dis...

Mon, 23 Nov 2020 23:30:18 -0800 

  Branch: refs/heads/junit
  Home:   https://github.com/jenkinsci/codescene-plugin
  Commit: 291d6d8005e2632acca6040a54dd52269b877662
      
https://github.com/jenkinsci/codescene-plugin/commit/291d6d8005e2632acca6040a54dd52269b877662
  Author: Juraj Martinka <juma...@gmail.com>
  Date:   2020-11-24 (Tue, 24 Nov 2020)

  Changed paths:
    M pom.xml

  Log Message:
  -----------
  Update junit to 4.13.1 to fix temporary folder disclosure vulnerability.

See 
https://github.com/jenkinsci/codescene-plugin/network/alert/pom.xml/junit:junit/open.
It's not important in our case but good to clear list of alerts of GitHub's 
dependabot.

Here's a copy of the `Impact` section from the bug description:
---
On Unix like systems, the system's temporary directory is shared between all 
users on that system. Because of this, when files and directories are written 
into this directory they are, by default, readable by other users on that same 
system.

This vulnerability does not allow other users to overwrite the contents of 
these directories or files. This is purely an information disclosure 
vulnerability.

When analyzing the impact of this vulnerability, here are the important 
questions to ask:

Do the JUnit tests write sensitive information, like API keys or passwords, 
into the temporary folder?
If yes, this vulnerability impacts you, but only if you also answer 'yes' to 
question 2.
If no, this vulnerability does not impact you.
Do the JUnit tests ever execute in an environment where the OS has other 
untrusted users.
This may apply in CI/CD environments but normally won't be 'yes' for personal 
developer machines.
If yes, and you answered 'yes' to question 1, this vulnerability impacts you.
If no, this vulnerability does not impact you.


-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-commits+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/codescene-plugin/push/refs/heads/junit/000000-291d6d%40github.com.

Reply via email to