Child pages
  • Plugins affected by the SECURITY-901 fix
Skip to end of metadata
Go to start of metadata

Several authentication related plugins do not work on Jenkins releases with the SECURITY-901 fix.

The fix requires that security realms call SecurityListener#authenticated or SecurityListener#loggedIn after successful authentication. If a security realm does not do either, sessions will be invalidated immediately, and users logged out again.

To disable this security fix when using a security realm that does not call SecurityListener as described above, set the Java system property jenkins.security.seed.UserSeedProperty.disableUserSeed to true.

Unsafe

Setting this system property will undo the additional protection provided by the security fix.

Further references

Affected plugins

The table below provides a list of plugin which were affected by the SECURITY-901 fix in Jenkins 2.150.2 and 2.160. "Status" column reflects the current state. Note that this list is not exhaustive.

If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.

  • No labels