fix(deps): update dependency org.jenkins-ci.plugins.workflow:workflow-cps-global-lib to v588 [security] #5248
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
…-cps-global-lib to v588 [security]
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.6->588.v576c103a_ff86Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2022-29047
Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definition. In that case, Jenkins will just use the Pipeline definition in the pull request’s destination branch instead.
In Pipeline: Deprecated Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier the same protection does not apply to uses of the
librarystep with aretrieverargument pointing to a library in the current build’s repository and branch (e.g.,library(…, retriever: legacySCM(scm))). This allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the library behavior in their pull request, even if the Pipeline is configured to not trust them.Pipeline: Deprecated Groovy Libraries Plugin 566.vd0a_a_3334a_555 and 2.21.3 aborts library retrieval if the library would be retrieved from the same repository and revision as the current build, and the revision being built is untrusted.
CVE-2022-43405
Pipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin (formerly Pipeline: Shared Groovy Libraries Plugin) define the l
ibraryPipeline step, which allows Pipeline authors to dynamically load Pipeline libraries. The return value of this step can be used to instantiate classes defined in the loaded library.In Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier and in Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier, the
librarystep can be used to invoke sandbox-generated synthetic constructors in crafted untrusted libraries and construct any subclassable type. This is similar to SECURITY-582 in the 2017-08-07 security advisory, but in a different plugin.This vulnerability allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Pipeline: Groovy Libraries Plugin 613.v9c41a_160233f rejects improper calls to sandbox-generated synthetic constructors when using the
librarystep.Pipeline: Deprecated Groovy Libraries Plugin 588.v576c103a_ff86 no longer contains the
librarystep. It has been moved into the Pipeline: Groovy Libraries Plugin.CVE-2022-25174
Jenkins Pipeline: Shared Groovy Libraries Plugin prior to 561.va_ce0de3c2d69, 2.21.1, and 2.18.1 uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
CVE-2022-25177
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.
CVE-2022-25178
Jenkins Pipeline: Shared Groovy Libraries Plugin does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.
CVE-2019-10357
A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.
Release Notes
jenkinsci/workflow-cps-global-lib-plugin (org.jenkins-ci.plugins.workflow:workflow-cps-global-lib)
v588.v576c103a_ff86Compare Source
This plugin now contains only the old system whereby you could
git clone https://jenkins/workflowLibs.gitand push changes to a single library to a Git service hosted by Jenkins itself. That system is long since deprecated and rarely used. If you have updated to this version, you should already have the new plugin Pipeline: Groovy Libraries which contains the system of libraries loaded from an SCM of your choice which most people know about and use; assuming you are not usingworkflowLibs.git, you may now uninstall this plugin (now renamed Pipeline: Deprecated Groovy Libraries).You may wish to further uninstall Git Server if it is otherwise unused; and in turn SSH Server assuming you are not using the SSH transport for the Jenkins CLI (most people use HTTP or WebSocket transport).
🚨 Removed
v583.vf3b_454e43966Compare Source
👷 Changes for plugin developers
v581.ve633085a_8a_87Compare Source
🐛 Bug fixes
v575.v24fa_0a_b_f7383Compare Source
👷 Changes for plugin developers
LibraryMemoryTest#loaderReleasedfails on Java 17 whensupport-coreis present (#163) @basil📦 Dependency updates
v570.v21311f4951f8Compare Source
🚀 New features and improvements
📦 Dependency updates
v566.vd0a_a_3334a_555Compare Source
v564.ve62a_4eb_b_e039Compare Source
🐛 Bug fixes
🚦 Tests
v561.va_ce0de3c2d69Compare Source
🐛 Security fixes
ace0de3)📦 Dependency updates
📝 Documentation updates
v552.554.vdba55efb9e88Compare Source
v544.vff04fa68714dNOTE: This release accidentally moves Jenkins to 2.304. 545.v7b28cce323cf moves it down to 2.303.1
🐛 Bug fixes
👻 Maintenance
SCMSourceRetrieverleaks@libsworkspaces (#115) @basilv2.21.3v2.21.1v2.21: v2.21 🌈🚀 New features and improvements
v2.19Release date: 2021-04-30
v2.18Release date: 2021-02-19
ConcurrentModificationExceptionfrom being thrown when serializingLibrariesAction.libraries(JENKINS-41037)v2.17Release date: 2020-07-20
commons-lang3to avoid version conflicts withjenkins-test-harnessin downstream projects. (PR 94)v2.16Release date: 2020-03-13
src/test/in shared libraries from being used by Pipelines, as these files were likely only intended to be used in tests for the libraries rather than by Pipelines, and depending on the contents ofsrc/test/, it may be unsafe for those files to be exposed to Pipelines. To restore the previous behavior that allowed access to files in src/test/, pass-Dorg.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES=trueto the java command used to start Jenkins. (PR 91)v2.15Release date: 2019-07-31
v2.14Release date: 2019-07-11
Make folder-scoped credentials work correctly with shared libraries.
Do not add a UUID parameter when constructing the
librarystep onthe Pipeline Syntax page.
63) -
Support for SCM retry count did not retry the checkout attempt for
certain kinds of errors when it should have.
66) -
Do not add nullability annotations to primitive types.
67, PR
70, PR
73)
- Dependency and test updates, new integration tests for issues
fixed in upstream plugins.
v2.13Release date: 2019-02-01
59) -
Support for SCM retry count added in 2.12 did not apply to some SCM
operations.
57)
- Avoid use of deprecated APIs.
44,
PR
56) -
Add additional tests and update tests to run correctly on Windows
v2.12Release date: 2018-10-02
Make compilation errors in shared libraries serializable so that the
actual compilation error is reported instead of
a
NotSerializableExceptionin some cases.v2.11Release date: 2018-09-08
Fix a file leak introduced in version 2.10 of this plugin affecting
all uses of the
libraryResourcestep.v2.10Release date: 2018-08-21
Jenkins 2.60.3 or newer.
Add an optional encoding argument to the
libraryResourcestep.
Base64is a supported encoding, and will cause the resourceto be loaded as a Base64-encoded string, which is useful for copying
binary resources such as images when combined with Pipeline: Basic
Steps 2.8.1 or higher.
v2.9Release date: 2017-09-13
allow excluding shared libraries from changelogs (and therefore from
SCM polling as well) via global configuration option
and/or
@Library(value="some-lib@master", changelog=false).v2.8Release date: 2017-04-24
irrelevant):
*.txtglobal variable help fileslibraries
librarystep depending onfilesystem canonicalization
v2.7Release date: 2017-03-03
Added a
librarystep as a dynamic alternative to@Libraryusedsince 2.3.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.