On 10.01.2014, at 18:11, teilo <teilo+goo...@teilo.net> wrote: > Have you helped to improve this situation by actually reporting them via the > proper channels?
Yes. That's why I consider the resolution process to be broken. The "proper channels" don't work. The first security issue I reported was SECURITY-35 in email-ext (installed on 30% of all instances) which I re-filed publicly as JENKINS-15213 after getting no response for three months. The email-ext author informed me he didn't receive any information from those with access to the private issue tracker and quickly fixed the problem. Another five months later, a response to SECURITY-35 arrived, explaining that, because the process was broken, some issues were overlooked. Then there's the ongoing SECURITY-87: I reported that anyone can trivially DoS any Jenkins instance (including those where anonymous has no permissions) on 13 Aug 2013. AFAICT the problem persists. Sure, it's not privilege escalation, but still annoying if you're running a public instance. Another example of a security issue in current LTS is JENKINS-20800, which I originally reported to Cloudbees Enterprise support in a non-security context (so it was filed publicly). I only later found it to be trivially exploitable on any Jenkins instance by anyone. Four weeks ago, the fix was backported early to LTS, likely because I asked for it on the dev list. But 1.532.2 still doesn't even have an RC. Should I have reported it separately as a security issue? Maybe, but the developers were aware of this issue, and by then I'd mostly given up on "proper channels". -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
