-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixing SECURITY-1506 / CVE-2020-2249 #244
base: master
Are you sure you want to change the base?
Conversation
@keljos are you still around? I believe this plugin is abandoned, and going down the adopt a plugin route is the most likely way to progress this: https://www.jenkins.io/doc/developer/plugin-governance/adopt-a-plugin/ |
This is a big deal, because the TFS plugin hasn't been upgraded to remove the use of the commons-digester library, the plugin now stops working on Jenkins v2.297 (Weekly, 2021-06-08) or v2.303.1 (LTS, 2021-08-25). No we have to choose between a vulnerable build of Jenkins, switching to Git, or removing the plugin and using the command line to interact with TFS? |
Or adopting it :) |
There are also fixed out there to work without commons-digester. Here: glevy/tfs-plugin@2680aaf source is https://issues.jenkins.io/browse/JENKINS-65867 |
I wish I could adopt it or even build a hpi file from source. Sadly I am a .NET developer. Can some kind soul provide a build of this PR or Glevy's fork? |
Its not hard to build (I am also just C# developer, but java is most same):
Run unit tests: Do not run unit tests: |
glevy came through, binary available here: https://github.com/glevy/tfs-plugin/releases/tag/commons-digester2 |
fix SECURITY-1506 / CVE-2020-2249 by using
Secret
class