audit-log-plugin

audit-log-plugin copied to clipboard

Hello, is it possible to generate a new version for audit-log plugin which uses log4j v2.17.1 because of this CVE: CVE-2021-45105 ?

@daniel-beck can you use your superpowers again? I haven't gotten around to enabling CD here yet.

Sorry, that's quite a bit of hassle to not mess up accidentally, and IIUC the new vulnerability is far less severe (and in fact fairly unlikely to be exploitable anywhere). I think you're just a password reset away from being able to release yourself?

I already reset my password. Back when I tried to release from Maven, I got 403 errors or something like that. I could try again at some point, though. And you're right, the latest CVEs aren't even really applicable to this plugin.

If a snapshot deploy works, authentication works. What's left is confirming coordinates and user name in https://github.com/jenkins-infra/repository-permissions-updater/blob/master/permissions/plugin-audit-log.yml are correct (and a mismatch in the former wouldn't allow CD either).

Any news on the release of the version of audit log ?

@daniel-beck @jvz Any news on the release of the version of audit log ?

I haven't had a chance to reset my deployment settings yet.

I'm waiting too :) https://github.com/jenkinsci/audit-log-plugin/pull/87/commits/37efd33bb1af9f836c56c18f4388b3ebbcdc6774

Hi, Any idea when this is going to get fixed ?

@daniel-beck @jvz any news about that ticket ? When a Nessus scan is done on a machine where Jenkins is installed with this plugin, an error is raised because the plugin uses log4j v2.16.0. v2.17.1 is needed now

Waiting for this update.