On 01/16/2014 06:19 AM, Marius Gedminas wrote:
On Wed, Jan 15, 2014 at 06:57:07PM -0800, Kohsuke Kawaguchi wrote:
OK, that's embarassing.
Indeed we haven't figured out how to communicate security problems to
plugin developers. Sometimes it's not obvious who to talk to, and even when
it is obvious, we haven't configured JIRA to let us grant read access on
issue-by-issue basis.
Issues not getting a timely enough attention is unfortunate, but aside from
trying to add more people to the jenkinsci-cert group (which we are always
trying), I'm not sure how to resolve that.
Daniel, given the level of activity you commit in the core, I feel like you
could help us fixing those issues, in addition to finding them.
As an outsider, I'm glad to see you care about security.
What about packaging? The Debian packages available from upstream start
the web server on the public IP right from the post-inst script, before
you get a chance to set up any security. This allows remote code
execution as user jenkins.
(The Jenkins package in the Ubuntu archive is configured to start the
web server on localhost only, which sounds like a sane mitigation
strategy for me.)
Yeah, this is a good idea.
Perhaps a slight variation of it is to keep listening to these ports
like we do today but to show the message saying non-local access is
blocked until you acknowledge what you are doing?
That way, it would work across platforms and it's less confusing to
those who are less experienced in the system administration?
Something like that can be packaged as a plugin, which makes the
integration process easy --- you can just go create code yourself and
other people can try/use it, and we'd only have to bundle it in the core.
Should I file a bug? (I have filed a few bugs about packaging issues
(one involving data loss), but haven't seen any response at all after
many months, which made me stop caring. I have some small expertise
with Debian packaging, and I'm willing to post patches, if I think they
will not be silently ignored for months.)
OK, our apologies. Do you know which ones they are? We want to take a look.
--
Kohsuke Kawaguchi | CloudBees, Inc. | http://cloudbees.com/
Try Jenkins Enterprise, our professional version of Jenkins
--
You received this message because you are subscribed to the Google Groups "Jenkins
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
