ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey <[email protected]> wrote: > The 1.652.x series is an lts release, so fixes were backported to it that > are not in subsequent dev releases. > > Darragh Bailey > "Nothing is foolproof to a sufficiently talented fool" - unknown > > On 14 Jun 2016 20:02, "Zaro" <[email protected]> wrote: >> >> ----- [ snippet ] ------------ >> > >> > The behavior changed between 1.651.1 and 1.652.2. >> > >> > Specifically this was a security fix that came in with 1.652.2. See the >> > security fixes [0] that came with the release notes. Search for >> > SECURITY-250 or CVE-2016-3723. >> > >> > -Andy- >> > >> > [0] >> > >> > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 >> >> Hmm. I just tested with Jenkins ver 1.653 and was still able to >> access plugin info using REST api as an anonymous user. >> I enabled security with following settings: >> * jenkins own db >> * logged-in user can do anything >> * prevent cross site request >> >> While not logged in I can get plugin info using >> '<jenkins-baseurl>/pluginManager/api/json?depth=1' >> >> Maybe this there's some setting you have enabled that's causing your >> jenkins to require admin to access plugin info? _______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
