On 06/08/2016 05:51 AM, Darragh Bailey wrote: --[snip]--
> > Unfortunately it's come to our attention that this feature in > Jenkins requires the Administrator permission which can be > problematic if you have an environment where you prefer not to > give this permission out. I think the ideal solution is to build > into Jenkins a separate permission for viewing plugin > information. I'll try contacting Jenkins devs to see if this is > something they can do inside Jenkins. > > > > Curious to know what version of Jenkins you used? Is this a new security > feature added by recent versions, or is it something depending on what > other permissions have been enabled by default for various users? > > Because I can query a 1.565.3 installation of Jenkins for it's list of > plugins as an anonyous user using the following URL: The behavior changed between 1.651.1 and 1.652.2. Specifically this was a security fix that came in with 1.652.2. See the security fixes [0] that came with the release notes. Search for SECURITY-250 or CVE-2016-3723. -Andy- [0] https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 -- Andrew J Grimberg Systems Administrator Release Engineering Team Lead The Linux Foundation
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
