On Wed, Jan 15, 2014 at 06:57:07PM -0800, Kohsuke Kawaguchi wrote: > OK, that's embarassing. > > Indeed we haven't figured out how to communicate security problems to > plugin developers. Sometimes it's not obvious who to talk to, and even when > it is obvious, we haven't configured JIRA to let us grant read access on > issue-by-issue basis. > > Issues not getting a timely enough attention is unfortunate, but aside from > trying to add more people to the jenkinsci-cert group (which we are always > trying), I'm not sure how to resolve that. > > Daniel, given the level of activity you commit in the core, I feel like you > could help us fixing those issues, in addition to finding them.
As an outsider, I'm glad to see you care about security.
What about packaging? The Debian packages available from upstream start
the web server on the public IP right from the post-inst script, before
you get a chance to set up any security. This allows remote code
execution as user jenkins.
(The Jenkins package in the Ubuntu archive is configured to start the
web server on localhost only, which sounds like a sane mitigation
strategy for me.)
Should I file a bug? (I have filed a few bugs about packaging issues
(one involving data loss), but haven't seen any response at all after
many months, which made me stop caring. I have some small expertise
with Debian packaging, and I'm willing to post patches, if I think they
will not be silently ignored for months.)
Marius Gedminas
--
Open Source Software: There are days when I can't figure out whether I'm living
in a Socialist utopia or a Libertarian one.
-- Alex Future Bokov
signature.asc
Description: Digital signature
