Thursday, July 13, 2017

Security Release: Jenkins plugins vulnerabilities

The Jenkins project has published a security advisory due to some plugins vulnerabilities. These are the affected plugins:
  • Docker Commons Plugin up to and including version 1.7
  • Git Plugin up to and including version 3.3.1 and 2.4.0-beta-1
  • GitHub Branch Source Plugin up to and including version 2.0.7 and 2.2.0-beta-1
  • Parameterized Trigger Plugin up to and including version 2.34
  • Periodic Backup Plugin up to and including version 1.4
  • Pipeline: Build Step Plugin up to and including version 2.5
  • Pipeline: Groovy Plugin up to and including version 2.36
  • Poll SCM Plugin up to and including version 1.3
  • Role-based Authorization Strategy Plugin up to and including version 2.5.0
  • Script Security Plugin up to and including version 1.29
  • Sidebar Link Plugin up to and including version 1.8
  • SSH Plugin up to and including version 2.4
  • Subversion Plugin up to and including version 2.8
Bitnami deployments include some of these plugins by default. It is strongly recommended that you update your Jenkins plugins to the latest version. You can upgrade the plugins of your Bitnami Jenkins following our documentation.

For new application deployments, Bitnami has released Jenkins 2.60.1 LTS installers, virtual machines and cloud images with the latest versions of the plugins that include the security fixes. If you deploy Bitnami Jenkins via one of our cloud partner marketplaces and it is not yet updated to 2.60.1, we strongly sugges that you update your Jenkins plugins to the latest version. If you are using the Bitnami Jenkins Docker container image, please follow the documentation in our GitHub repository to upgrade your deployment to the 2.69 Jenkins version with the latest plugins.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forums and we will be happy to help you.