![]() |
|
|
|
|
Issue Type:
|
![Bug]() Bug
|
|
Assignee:
|
Unassigned |
|
Components:
|
core |
|
Created:
|
20/Apr/15 6:26 AM
|
|
Description:
|
Official downloads for the Jenkins binaries are served over plain HTTP. This is a security vulnerability, as any binaries being downloaded can easily be modified on-the-fly to inject malicious code. As Jenkins itself often has access to sensitive information, this presents a serious security vulnerability, especially for those who install and deploy Jenkins automatically.
Since it's now 2015, and we know that these attacks actively happen in the wild by all sorts of nefarious types, it's probably time to change this.
Fortunately, the fix is a simple! Just add a rewrite rule to replace all http:// requests to *.jenkins-ci.org and jenkins-ci.org to their respective https:// equivalents in your HTTP server, and then enable HSTS.
|
|
Project:
|
Jenkins
|
|
Labels:
|
security
|
|
Priority:
|
![Minor]() Minor
|
|
Reporter:
|
Rich Jones
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit
https://groups.google.com/d/optout.
