Tuesday, August 8, 2017

Security Release: Jenkins Plugins Vulnerabilities

The Jenkins project has published a security advisory due to some plugins vulnerabilities. These are the affected plugins:
  • Blue Ocean:
    • GitHub Pipeline for Blue Ocean up to and including 1.1.5, 1.2.0 beta releases up to and including 1.2.0-beta-3
    • REST Implementation for Blue Ocean up to and including 1.1.5, 1.2.0 beta releases and up to and including 1.2.0-beta-3
    • Bitbucket Pipeline for Blue Ocean 1.2.0-beta-3
  • Config File Provider Plugin up to and including 2.16.1
  • Datadog Plugin up to and including 0.5.6
  • Deploy to container Plugin up to and including 1.12
  • DRY Plugin up to and including 2.48
  • OWASP Dependency-Check Plugin up to and including 2.0.1.1
  • Pipeline: Groovy Plugin up to and including 2.38
  • Pipeline: Input Step Plugin up to and including 2.7
  • Script Security Plugin up to and including 1.30
  • Static Analysis Utilities Plugin up to and including 1.91
Bitnami deployments include some of these plugins by default. It is strongly recommended that you update your Jenkins plugins to the latest version, Jenkins 2.60.2-1. You can upgrade the plugins of your Bitnami Jenkins application following our documentation.

For new application deployments, Bitnami has released Jenkins 2.60.2-1 LTS installersvirtual machines and cloud images with the latest versions of the plugins that include the security fixes. If you deploy Bitnami Jenkins via one of our cloud partner marketplaces and it is not yet updated to 2.60.2-1, we strongly suggest that you update your Jenkins plugins to this latest version. If you are using the Bitnami Jenkins Docker container image, please follow the documentation in our GitHub repository to upgrade your deployment to the 2.73 Jenkins version with the latest plugins.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forums and we will be happy to help you.