After further discussion, Jenkins will be taken out of shutdown mode for the weekend. 

The two options discussed:

• Option 1:  Leave Jenkins in shutdown mode until all jobs are complete
• This option delays all project development
  

• Option 2:  Allow Jenkins to stay in service while the existing CSIT jobs complete
• This options allows project development to continue but requires LF to abort any additional long running jobs at the time of the upgrade

We apologize for the inconvenience but unfortunately both options will affect CSIT for the weekend.

Once the following jobs are complete, LF will perform the required emergency upgrade.  Any long running jobs not listed below will be aborted to allow the upgrade on Sunday.

• csit-vpp-perf-1801-all #145
• csit-vpp-perf-1801-all #146
• csit-vpp-perf-1801-all #149
• csit-vpp-perf-1801-all #150
• csit-vpp-perf-1801-all #151
• vpp-docs-merge-master #1850

I will send out a notification that Jenkins is going into shutdown mode to prepare for the upgrade on Sunday.

Thank you,
Vanessa

On 02/16/2018 01:47 PM, Vanessa Valderrama wrote:

What:

Jenkins published a security advisory requiring an emergency update to version 2.89.4.

https://jenkins.io/security/advisory/2018-02-14/

When:

Jenkins is being put into shutdown mode to prevent new jobs from starting.  Jenkins will remain in shutdown mode until all jobs complete.  The current ETA is 2 days to allow CSIT jobs to complete.

Once all jobs are complete, LF will upgrade Jenkins and jobs can resume.

Impact:

• Jenkins jobs will remain in the queue during shutdown until all jobs are complete.
• During the upgrade Jenkins will be unavailable for approximately 15 minutes.

Why:

Required maintenance to resolve security vulnerabilities

SECURITY-705 / CVE-2018-6356 (https://jenkins.io/security/advisory/2018-02-14/#SECURITY-705)

Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to.

On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.

Jenkins now prevents specifying paths containing .. and other character sequences that could be used to access files outside the plugins resource directory

SECURITY-506 / CVE pending (https://jenkins.io/security/advisory/2018-02-14/#SECURITY-506)

The form validation for the proxy configuration form did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL, optionally with a specified proxy configuration.

If that request’s HTTP response code indicates success, the form validation is returning a generic success message, otherwise the HTTP status code is returned. It was not possible to reuse an existing proxy configuration to send those requests; that configuration had to be provided by the attacker.

The form validation now properly requires the Overall/Administer permission.

Jenkins is in shutdown mode.  We'll be downgrading the build-timeout plugin version to 1.18.  Version 1.19 is not allowing the build-timeouts to be set to no activity which is breaking CSIT jobs.  I've tested version 1.18 on the sandbox and verified this solution will resolve this issue.

Thank you,
Vanessa

On 02/16/2018 04:29 PM, Vanessa Valderrama wrote:

After further discussion, Jenkins will be taken out of shutdown mode for the weekend. 

The two options discussed:

• Option 1:  Leave Jenkins in shutdown mode until all jobs are complete
• This option delays all project development
  

• Option 2:  Allow Jenkins to stay in service while the existing CSIT jobs complete
• This options allows project development to continue but requires LF to abort any additional long running jobs at the time of the upgrade

We apologize for the inconvenience but unfortunately both options will affect CSIT for the weekend.

Once the following jobs are complete, LF will perform the required emergency upgrade.  Any long running jobs not listed below will be aborted to allow the upgrade on Sunday.

• csit-vpp-perf-1801-all #145
• csit-vpp-perf-1801-all #146
• csit-vpp-perf-1801-all #149
• csit-vpp-perf-1801-all #150
• csit-vpp-perf-1801-all #151
• vpp-docs-merge-master #1850

I will send out a notification that Jenkins is going into shutdown mode to prepare for the upgrade on Sunday.

Thank you,
Vanessa

On 02/16/2018 01:47 PM, Vanessa Valderrama wrote:

What:

Jenkins published a security advisory requiring an emergency update to version 2.89.4.

https://jenkins.io/security/advisory/2018-02-14/

When:

Jenkins is being put into shutdown mode to prevent new jobs from starting.  Jenkins will remain in shutdown mode until all jobs complete.  The current ETA is 2 days to allow CSIT jobs to complete.

Once all jobs are complete, LF will upgrade Jenkins and jobs can resume.

Impact:

• Jenkins jobs will remain in the queue during shutdown until all jobs are complete.
• During the upgrade Jenkins will be unavailable for approximately 15 minutes.

Why:

Required maintenance to resolve security vulnerabilities

SECURITY-705 / CVE-2018-6356 (https://jenkins.io/security/advisory/2018-02-14/#SECURITY-705)

Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to.

On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.

Jenkins now prevents specifying paths containing .. and other character sequences that could be used to access files outside the plugins resource directory

SECURITY-506 / CVE pending (https://jenkins.io/security/advisory/2018-02-14/#SECURITY-506)

The form validation for the proxy configuration form did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL, optionally with a specified proxy configuration.

If that request’s HTTP response code indicates success, the form validation is returning a generic success message, otherwise the HTTP status code is returned. It was not possible to reuse an existing proxy configuration to send those requests; that configuration had to be provided by the attacker.

The form validation now properly requires the Overall/Administer permission.