Open Stack

On 06/08/2016 05:51 AM, Darragh Bailey wrote:

--[snip]--

> 
>         Unfortunately it's come to our attention that this feature in
>         Jenkins requires the Administrator permission which can be
>         problematic if you have an environment where you prefer not to
>         give this permission out. I think the ideal solution is to build
>         into Jenkins a separate permission for viewing plugin
>         information. I'll try contacting Jenkins devs to see if this is
>         something they can do inside Jenkins.
> 
> 
> 
> Curious to know what version of Jenkins you used? Is this a new security
> feature added by recent versions, or is it something depending on what
> other permissions have been enabled by default for various users?
> 
> Because I can query a 1.565.3 installation of Jenkins for it's list of
> plugins as an anonyous user using the following URL:

The behavior changed between 1.651.1 and 1.652.2.

Specifically this was a security fix that came in with 1.652.2. See the
security fixes [0] that came with the release notes. Search for
SECURITY-250 or CVE-2016-3723.

-Andy-

[0]
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

-- 
Andrew J Grimberg
Systems Administrator
Release Engineering Team Lead
The Linux Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20160608/04374c2b/attachment.pgp>