It looks like the email I'm responding to never made it to the users or dev list; and it was lost in moderation in the infra list. Given the important of the topic, I'm responding anyway, including the users list.
--- When you install Jenkins, it doesn't set up access control automatically. You're expected to do this afterwards (which has its problems[1], but that's the way it is right now). Jenkins even tells you to do that on the "Manage Jenkins" screen if security has not been set up. And when on the "Configure Global Security" page, one of the options is a checkbox that says "Prevent Cross Site Request Forgery exploits". Its help text basically explains why it's not enabled by default: > Enabling this option can result in some problems, like the following: > > • Some Jenkins features (like the remote API) are more difficult to use > when this option is enabled. > • Some features, especially in plugins not tested with this option > enabled, may not work at all. > • If you are accessing Jenkins through a reverse proxy, it may strip > the CSRF HTTP header, resulting in some protected actions failing. I tested a few of the examples provided, and none worked when I enabled this protection. I really doubt any of them work. So, don't just install and start Jenkins, and then go home. Set it up properly, and you're safe. More on setting up security in Jenkins: https://wiki.jenkins-ci.org/display/JENKINS/Securing+Jenkins 1: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-10-01 On 08.09.2015, at 23:47, Paulos Yibelo <habte.yib...@gmail.com> wrote: > Hi, > > Its been days since a 0day in Jenkins have been announced to the > public, that can almost do anything to Jenkins. including code > execution: https://www.exploit-db.com/exploits/37999/ > > But since then, there appears to be no update on the change log or no > security advisories have come out. is this normal? shouldn't for a > project this big, such issues, not only should be fixed in hrs but not > found in the first place. am just curios if the next version is going > to contain the advisories. > > Please anyone with a knowledge of this, speak up. > > Thanks, > P > _______________________________________________ > Jenkins-infra mailing list > jenkins-in...@lists.jenkins-ci.org > http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/F00853A6-26AC-4FD8-B63C-4A7944E72F64%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
