Security spring cleaning

Daniel Beck April 3, 2019

Today we published a security advisory that mostly informs about issues in Jenkins plugins that have no fixes. What’s going on?

The Jenkins security team triages incoming reports both to Jira and our non-public mailing list. Once we’ve determined it is a plugin not maintained by any Jenkins security team members, we try to inform the plugin maintainer about the issue, offering our help in developing, reviewing, and publishing any fixes. Sometimes the affected plugin is unmaintained, or maintainers don’t respond in a timely manner to the notifications or the followup emails we send.

In such cases, we publish security advisories informing users about these issues, even if there’s no new release with a fix. Doing so allows administrators to make an informed decision about the continued use of plugins with unresolved security vulnerabilities. Today’s advisory is overwhelmingly such an advisory.

See a plugin you love on this list and want to help out? Learn about adopting plugins.

About the author

Daniel Beck

Daniel is a Jenkins core maintainer and member of the Jenkins security team. He was the inaugural Jenkins security officer from 2015 to 2021. He sometimes contributes to developer documentation and project infrastructure in his spare time.