Hi all I have question about vulnerability in particular the CSRF vulnerability in OpenID Plugin
The openid does not use state in protocolo so there is no concept of it but a concept nounce and reading the openid 2.0 that is not supposed to be. Can I know more information about it? Michael On Mon, Feb 19, 2024 at 2:19 PM Michael Nazzareno Trimarchi <mich...@amarulasolutions.com> wrote: > > Hi Daniel, all > > On Mon, Feb 19, 2024 at 2:12 PM 'Daniel Beck' via Jenkins Developers > <jenkinsci-dev@googlegroups.com> wrote: > > > > > > On Sun, Feb 18, 2024 at 5:56 PM Adrien Lecharpentier > > <adrien.lecharpent...@gmail.com> wrote: > >> > >> Please note that the plugin has multiple public security issues. I'm sure > >> the security team will require you to resolve them before any release can > >> be deployed. > > > > > > While we definitely prefer that (new) maintainers address unresolved > > vulnerabilities as early as possible, we do not generally require that for > > new releases, with two exceptions: > > > > * Plugins blocked from releasing because we identified a vulnerability > > introduced since the latest release. Look for "releaseblock" in RPU for > > examples. > > * Unsuspending plugins. In terms of security, we consider that to be > > similar to new plugin hosting, so to restore publication, we ask that > > security issues (publicly known or not) be addressed first. > > > > For anything else, the security warnings shown in Jenkins and on the > > plugins site will remain active even for new releases. > > > > Some (few) plugins are actively maintained while not addressing previously > > announced security vulnerabilities. Administrators can make an informed > > decision on whether they want to install (or keep installed) such plugins. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Jenkins Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to jenkinsci-dev+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLDhhbUEHA-YvAARisdpvdAq59CC4Wkn8ET771bvoFSXw%40mail.gmail.com. > > Working to address vulnerabilities. > > Michael > > > -- > Michael Nazzareno Trimarchi > Co-Founder & Chief Executive Officer > M. +39 347 913 2170 > mich...@amarulasolutions.com > __________________________________ > > Amarula Solutions BV > Joop Geesinkweg 125, 1114 AB, Amsterdam, NL > T. +31 (0)85 111 9172 > i...@amarulasolutions.com > www.amarulasolutions.com -- Michael Nazzareno Trimarchi Co-Founder & Chief Executive Officer M. +39 347 913 2170 mich...@amarulasolutions.com __________________________________ Amarula Solutions BV Joop Geesinkweg 125, 1114 AB, Amsterdam, NL T. +31 (0)85 111 9172 i...@amarulasolutions.com www.amarulasolutions.com -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAOf5uwm_8tCoRCt-F17oKwRkcQzCZmDMxSdVGNYasJ0a8SxeAw%40mail.gmail.com.
