Hi all I have question about vulnerability in particular the CSRF vulnerability in OpenID Plugin
The openid does not use state in protocolo so there is no concept of it but a concept nounce and reading the openid 2.0 that is not supposed to be. Can I know more information about it? Michael On Mon, Feb 19, 2024 at 2:19 PM Michael Nazzareno Trimarchi <[email protected]> wrote: > > Hi Daniel, all > > On Mon, Feb 19, 2024 at 2:12 PM 'Daniel Beck' via Jenkins Developers > <[email protected]> wrote: > > > > > > On Sun, Feb 18, 2024 at 5:56 PM Adrien Lecharpentier > > <[email protected]> wrote: > >> > >> Please note that the plugin has multiple public security issues. I'm sure > >> the security team will require you to resolve them before any release can > >> be deployed. > > > > > > While we definitely prefer that (new) maintainers address unresolved > > vulnerabilities as early as possible, we do not generally require that for > > new releases, with two exceptions: > > > > * Plugins blocked from releasing because we identified a vulnerability > > introduced since the latest release. Look for "releaseblock" in RPU for > > examples. > > * Unsuspending plugins. In terms of security, we consider that to be > > similar to new plugin hosting, so to restore publication, we ask that > > security issues (publicly known or not) be addressed first. > > > > For anything else, the security warnings shown in Jenkins and on the > > plugins site will remain active even for new releases. > > > > Some (few) plugins are actively maintained while not addressing previously > > announced security vulnerabilities. Administrators can make an informed > > decision on whether they want to install (or keep installed) such plugins. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Jenkins Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLDhhbUEHA-YvAARisdpvdAq59CC4Wkn8ET771bvoFSXw%40mail.gmail.com. > > Working to address vulnerabilities. > > Michael > > > -- > Michael Nazzareno Trimarchi > Co-Founder & Chief Executive Officer > M. +39 347 913 2170 > [email protected] > __________________________________ > > Amarula Solutions BV > Joop Geesinkweg 125, 1114 AB, Amsterdam, NL > T. +31 (0)85 111 9172 > [email protected] > www.amarulasolutions.com -- Michael Nazzareno Trimarchi Co-Founder & Chief Executive Officer M. +39 347 913 2170 [email protected] __________________________________ Amarula Solutions BV Joop Geesinkweg 125, 1114 AB, Amsterdam, NL T. +31 (0)85 111 9172 [email protected] www.amarulasolutions.com -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAOf5uwm_8tCoRCt-F17oKwRkcQzCZmDMxSdVGNYasJ0a8SxeAw%40mail.gmail.com.
