[JIRA] [subversion] (JENKINS-21759) Central configuration of repository user tear open a serious security leak
Steffen Mork created JENKINS-21759 Central configuration of repository user tear open a serious security leak Issue Type: Bug Assignee: Unassigned Components: subversion Created: 11/Feb/14 1:38 PM Description: Everybody who has job configuration access rights (a so called job configurator) can select any subversion repository user configured centrally in jenkins. In past versions the job configurator must knew the user and password combination of the used subversion repository. Now it is possible that the job configurator can configure a subversion repository without having access rights but only knowing the URL and the user login but not knowing the password. So the job configurator can bypass subversion repository access restrictions to gain access to that repository content. We have about 200 jobs configured and using project specific authorization. Lots of jobs have active NDAs. So this is a serious security issue for us. Project: Jenkins Labels: subversion Priority: Critical Reporter: Steffen Mork This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[JIRA] [subversion] (JENKINS-21712) Jenkins Update breaks Subversion credential configuration
Steffen Mork created JENKINS-21712 Jenkins Update breaks Subversion credential configuration Issue Type: Bug Assignee: Unassigned Components: subversion Created: 07/Feb/14 12:41 PM Description: Since subversion plugin 2.0 the subversion credential storage has changed. The credentials must be configured globally while the subversion access user inside a job is configured with a combobox selecting from the globally configured CI-User. After upgrading to 1.458 all credential information in all subversion based jobs are lost. This means reconfiguring more than 150 jobs. The global configuration of credentials is confusing and time consuming. Please rollback the type of configuration of the subversion credentials to the previuos one. Due Date: 07/Feb/14 12:00 AM Environment: Jenkins 1.548, Subversion plugin 2.0 on Ubuntu 12.04.4 amd64 with Tomcat 6 and OpenJDK 7.0 Project: Jenkins Priority: Critical Reporter: Steffen Mork This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
