Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20251101022426.GA2874@openwall.com>
Date: Sat, 1 Nov 2025 03:24:26 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins plugins

On Wed, Oct 29, 2025 at 04:19:55PM +0100, Sebastian Pipping wrote:
> On 10/29/25 14:03, Daniel Beck wrote:
> >Additionally, we announce unresolved security issues in the following
> >plugins:
> >
> >* Azure CLI Plugin
> >* ByteGuard Build Actions Plugin
> >* Curseforge Publisher Plugin
> >* Eggplant Runner Plugin
> >* Extensible Choice Parameter Plugin
> >* JDepend Plugin
> >* Nexus Task Runner Plugin
> >* OpenShift Pipeline Plugin
> >* Publish to Bitbucket Plugin
> >* Start Windocks Containers Plugin
> >* Themis Plugin
> 
> For anyone else who also wonders about the combination of announcing 
> without a fix (and the motivation or story behind it), I found
> https://www.jenkins.io/security/plugins/#unresolved for a documented
> answer.

Thanks.  Posting this answer directly in here for those too busy to
visit links and for archival, as taken from the Markdown source:

https://raw.githubusercontent.com/jenkins-infra/jenkins.io/refs/heads/master/content/security/plugins.adoc

> == Announcing Unresolved Vulnerabilities
> 
> In case of a plugin vulnerability, we try to contact the plugin maintainer(s) to inform them of it.
> If they decline (or otherwise fail) to fix the vulnerability, or don't respond in a timely manner, and the security team doesn't have the capacity to fix it, we follow the process outlined below in the interest of our users:
> 
> . Publish a security advisory about the plugin, describing the nature of the vulnerability, but noting that there is no fix (other than no longer using the plugin).
>   If there are workarounds, explain them.
> . In some cases of particularly severe vulnerabilities, link:#suspensions[stop publishing the vulnerable plugin on the Jenkins update sites].
> . Add metadata to update sites to inform administrators on the Jenkins UI about vulnerable plugins they have installed.
> . Display security warnings on https://plugins.jenkins.io/[the plugins site].
> 
> This allows Jenkins administrators to make an informed decision about their continued use of plugins with unresolved security vulnerabilities.
> 
> == Following Up Later
> 
> Some maintainers end up fixing security vulnerabilities after we have announced it as unresolved in their plugin.
> This can be any time between hours and years after publication.
> 
> In those cases, security advisories will _not_ be amended, as the information provided was correct at the time of publication.
> Additionally, the security advisory will be clear that the lack of a fix is only known "_as of publication of this advisory_".
> 
> We will update the security warnings metadata that is shown to administrators in Jenkins and on https://plugins.jenkins.io/[the plugins site].
> Maintainers can inform us through Jira or email about a fix or https://github.com/jenkins-infra/update-center2/#security-warnings[file a pull request updating the warnings metadata] themselves.
> Once we confirm the fix is correct and complete, we will update the published warnings metadata.
> This will remove the active security warning from the plugin entry on the plugins site and from the plugin manager directly in Jenkins.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.