[OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions
Zaro
zaro0508 at gmail.com
Tue Jun 14 19:18:12 UTC 2016
ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
<daragh.bailey at gmail.com> wrote:
> The 1.652.x series is an lts release, so fixes were backported to it that
> are not in subsequent dev releases.
>
> Darragh Bailey
> "Nothing is foolproof to a sufficiently talented fool" - unknown
>
> On 14 Jun 2016 20:02, "Zaro" <zaro0508 at gmail.com> wrote:
>>
>> ----- [ snippet ] ------------
>> >
>> > The behavior changed between 1.651.1 and 1.652.2.
>> >
>> > Specifically this was a security fix that came in with 1.652.2. See the
>> > security fixes [0] that came with the release notes. Search for
>> > SECURITY-250 or CVE-2016-3723.
>> >
>> > -Andy-
>> >
>> > [0]
>> >
>> > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>>
>> Hmm. I just tested with Jenkins ver 1.653 and was still able to
>> access plugin info using REST api as an anonymous user.
>> I enabled security with following settings:
>> * jenkins own db
>> * logged-in user can do anything
>> * prevent cross site request
>>
>> While not logged in I can get plugin info using
>> '<jenkins-baseurl>/pluginManager/api/json?depth=1'
>>
>> Maybe this there's some setting you have enabled that's causing your
>> jenkins to require admin to access plugin info?
More information about the OpenStack-Infra
mailing list