Child pages
  • Plugins affected by fix for SECURITY-170

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Plugin name

Behaviour

Issue

Status

CloudBees Docker Hub Notification

?

?

PR

Delivery Pipeline Plugin

PIPELINE_VERSION doesn't get created

JENKINS-34805

PR

Gearman Plugin

Parameters are stripped unless defined. Should be made to autowhitelist.

JENKINS-34885

Not fixed

Gerrit Trigger

Builds fail with message "stderr: fatal: Couldn't find remote ref $GERRIT_REFSPEC"

Expand
titleParameter names used


GERRIT_EVENT_TYPE,GERRIT_EVENT_HASH,GERRIT_BRANCH,GERRIT_TOPIC,
GERRIT_CHANGE_NUMBER,GERRIT_CHANGE_ID,GERRIT_PATCHSET_NUMBER,
GERRIT_PATCHSET_REVISION,GERRIT_REFSPEC,GERRIT_PROJECT,GERRIT_CHANGE_SUBJECT,
GERRIT_CHANGE_COMMIT_MESSAGE,GERRIT_CHANGE_URL,GERRIT_CHANGE_OWNER,
GERRIT_CHANGE_OWNER_NAME,GERRIT_CHANGE_OWNER_EMAIL,
GERRIT_PATCHSET_UPLOADER,GERRIT_PATCHSET_UPLOADER_NAME











JENKINS-34753

PR - fixed in 2.21.0

GitHub Pull Request Builder Plugin

If using the standard ${sha1} branch spec, builds will fail with "Couldn't find any revision to build".
Pull requests remain in the "pending" state as the plugin fails to update the PR with the build outcome

Expand
titleParameter names used

ghprbActualCommit,ghprbActualCommitAuthor,ghprbActualCommitAuthorEmail,ghprbAuthorRepoGitUrl,
ghprbCommentBody,ghprbCredentialsId,ghprbGhRepository,ghprbPullAuthorEmail,ghprbPullAuthorLogin,
ghprbPullAuthorLoginMention,ghprbPullDescription,ghprbPullId,ghprbPullLink,
ghprbPullLongDescription,ghprbPullTitle,ghprbSourceBranch,ghprbTargetBranch,ghprbTriggerAuthor,
ghprbTriggerAuthorEmail,ghprbTriggerAuthorLogin,ghprbTriggerAuthorLoginMention,GIT_BRANCH,sha1











JENKINS-34762

Fixed Fix removed in 1.32.2

Tentative fix in 1.32.1 (fix)

Inheritance Plugin

Parameters defined on a `super` project are not expanded in a derived project

JENKINS-34831

Not fixed

Job Generator Plugin

Parameters aren't passed to child jobs

JENKINS-34814

Not fixed

Lockable Resources Plugin

Reserved resources variable name will not pass to the build

JENKINS-34853

PR - fixed in 1.9

Matrix Project Plugin

Parameters defined on a project are not passed to child jobs

JENKINS-34758

PR - fixed in 1.7

Parameterized Trigger Plugin

Parameters (e.g. when using properties files as source) are only passed if they are defined on the downstream job. This is the behavior intended by the SECURITY-170, see Jenkins Security Advisory 2016-05-11

n/a

Won't fix (hopefully)

Promoted Builds Plugin

Promoted builds do not receive parameter values defined at the job level

JENKINS-34826

Fixed in 2.27 (fix)

Release Plugin

Release parameters are not passed to the build

JENKINS-34996

PR

Stash pullrequest builder plugin

Builds will fail with "Couldn't find any revision to build".
As this plugin accepts arbitrary parameters, it's one of the plugins that caused SECURITY-170.

Expand
titleParameter names used


pullRequestId,pullRequestTitle,sourceBranch,targetBranch,sourceRepositoryOwner,
sourceRepositoryName,destinationRepositoryOwner,destinationRepositoryName,
sourceCommitHash,destinationCommitHash











#84

Not fixed

P4 Plugin

Parameters generated for review builds are not passed.

Expand
titleParameter names used

json, review, change, status, pass,
fail, label, Submit







Note that there may be more missing parameters for other special build types.

JENKINS-35210

Not fixed

M2 Release Plugin

SCM username and password environment variables, if configured, are not set

JENKINS-35261

Not fixed