Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-9403

jenkins 2.19.4 security issues

    Details

      Description

      Jenkins LTS 2.32.2 has been released which includes fixes for a number of security issues that are present in 2.19.4 (current production release) https://jenkins.io/security/advisory/2017-02-01/

      We were unable to upgrade past 2.19.4 due to the swarm plugin not being forward compatible. However, a new release of the swarm plugin (3.3) was made last Friday, that should be compatible with the current LTS release.

      Updating the swarm client made resolve/improve the the segv's in DM-8915.

        Attachments

          Issue Links

            Activity

            Hide
            jhoblitt Joshua Hoblitt added a comment - - edited

            Remaining tasks on this issue:

            • verify that ssh "agent" plugin is working
            • verify that the new version of the swarm agent is working on el6
            • update openjdk
            • Add a summary of significant changes to this ticket
            Show
            jhoblitt Joshua Hoblitt added a comment - - edited Remaining tasks on this issue: verify that ssh "agent" plugin is working verify that the new version of the swarm agent is working on el6 update openjdk Add a summary of significant changes to this ticket
            Hide
            jhoblitt Joshua Hoblitt added a comment -

            Jenkins 2.60.3
            ===
             
            Plugins
            ---
             
            ### General tightening down on plugins are execute groovy:
             
            https://jenkins.io/security/advisory/2017-04-10/
             
             
            ### slack job-dsl autogenerated bindings have changed
             
            Atleast this accessor is gone:
             
                buildServerUrl(null)
             
             
            ### warning about Scriptler being insecure
             
            Stuck with this plugin until ActiveChoices can be removed.
             
             
            ### warning about ssh slaves not checking host key
             
            Ignoring this for now as we can live with "KnownHosts" verification.
             
             
            ### warning about post-build plugin allowing groovy script to run with elevated persmissions
             
            This is used by:
             
            * validate_drp.groovy
            * stack_os_matrix.groovy
             
            The plugin can be dropped after these jobs are migrated to pipeline.
             
            ### slack plugin can now credenitals for its auth token
             
            Configuration migrated from injected plain-text to using the credentials facility.
             
             
            ### job-dsl groovy sandbox
             
            Now enabled by default -- breaks libraries completely by disabling classpath
            and requires all scripts to be approved by admin without configuring the per
            project auth plugin.
             
            In configureSecurity -- uncheck
             
            Enable script security for Job DSL scripts
             
            ```
            import jenkins.model.*
             
            Jenkins.getInstance().getDescriptor("javaposse.jobdsl.plugin.GlobalJobDslSecurityConfiguration").setUseScriptSecurity(false)
            println Jenkins.getInstance().getDescriptor("javaposse.jobdsl.plugin.GlobalJobDslSecurityConfiguration").getUseScriptSecurity()
            ```
             
             
            ### swarm 3.4 is broken
             
            swarm 3.3 appears to be functional
             
             
            ### workflow-job not compatilble with 2.60 (current LTS)
             
            2.14.1 causes the jenkins startup process to fail with a cascade of plugin loading failures
             
             
                SEVERE: Failed Loading plugin Pipeline v2.5 (workflow-aggregator)
                java.io.IOException: Pipeline v2.5 failed to load.
                 - Pipeline: Job v2.14.1 failed to load. Fix this plugin first.
                    at hudson.PluginWrapper.resolvePluginDependencies(PluginWrap
             
             
            ### activeChoice warning
             
            https://wiki.jenkins.io/display/JENKINS/Active+Choices+Plugin
             
                Warning: (stack.groovy, line 15) activeChoiceParam is deprecated
             
             
            Puppet
            ---
             
            * update to puppet-jenkins to handle changes with the CLI.jar
            * multiplate bug fixes including properly handling plugin version upgrades
            
            

            Show
            jhoblitt Joshua Hoblitt added a comment - Jenkins 2.60 . 3 ===   Plugins ---   ### General tightening down on plugins are execute groovy:   https: //jenkins.io/security/advisory/2017-04-10/     ### slack job-dsl autogenerated bindings have changed   Atleast this accessor is gone:   buildServerUrl( null )     ### warning about Scriptler being insecure   Stuck with this plugin until ActiveChoices can be removed.     ### warning about ssh slaves not checking host key   Ignoring this for now as we can live with "KnownHosts" verification.     ### warning about post-build plugin allowing groovy script to run with elevated persmissions   This is used by:   * validate_drp.groovy * stack_os_matrix.groovy   The plugin can be dropped after these jobs are migrated to pipeline.   ### slack plugin can now credenitals for its auth token   Configuration migrated from injected plain-text to using the credentials facility.     ### job-dsl groovy sandbox   Now enabled by default -- breaks libraries completely by disabling classpath and requires all scripts to be approved by admin without configuring the per project auth plugin.   In configureSecurity -- uncheck   Enable script security for Job DSL scripts   ``` import jenkins.model.*   Jenkins.getInstance().getDescriptor( "javaposse.jobdsl.plugin.GlobalJobDslSecurityConfiguration" ).setUseScriptSecurity( false ) println Jenkins.getInstance().getDescriptor( "javaposse.jobdsl.plugin.GlobalJobDslSecurityConfiguration" ).getUseScriptSecurity() ```     ### swarm 3.4 is broken   swarm 3.3 appears to be functional     ### workflow-job not compatilble with 2.60 (current LTS)   2.14 . 1 causes the jenkins startup process to fail with a cascade of plugin loading failures     SEVERE: Failed Loading plugin Pipeline v2. 5 (workflow-aggregator) java.io.IOException: Pipeline v2. 5 failed to load. - Pipeline: Job v2. 14.1 failed to load. Fix this plugin first. at hudson.PluginWrapper.resolvePluginDependencies(PluginWrap     ### activeChoice warning   https: //wiki.jenkins.io/display/JENKINS/Active+Choices+Plugin   Warning: (stack.groovy, line 15 ) activeChoiceParam is deprecated     Puppet ---   * update to puppet-jenkins to handle changes with the CLI.jar * multiplate bug fixes including properly handling plugin version upgrades
            Hide
            jhoblitt Joshua Hoblitt added a comment -

            The Jenkins master + swarm clients were updated and the service appears to be functioning normally.

            Show
            jhoblitt Joshua Hoblitt added a comment - The Jenkins master + swarm clients were updated and the service appears to be functioning normally.

              People

              • Assignee:
                jhoblitt Joshua Hoblitt
                Reporter:
                jhoblitt Joshua Hoblitt
                Watchers:
                Joshua Hoblitt
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Summary Panel