Page MenuHomePhabricator

Upgrade Jenkins to 2.73.2 (security release)
Closed, ResolvedPublic

Description

We've released new versions of Jenkins and Swarm Plugin today to fix several security vulnerabilities.

These vulnerabilities affect all previous releases:

  • weekly releases up to and including 2.83
  • LTS releases up to and including 2.73.1
  • Swarm Plugin (client) up to and including 3.4

We recommend updating to the new releases:

  • Jenkins weekly 2.84
    • Jenkins LTS 2.73.2**
  • Swarm Plugin (client) 3.5

Additionally, the recently released Maven Plugin 3.0 fixes a vulnerability, and distribution of Speaks! Plugin has been suspended due to a vulnerability for which there is no fix available.

Please see the advisory for more details:
https://jenkins.io/security/advisory/2017-10-11/

  • Maven Plugin up to and including 2.17
  • some arbitrary execution command on the master (we are not affected)
  • Update to commons-httpclient which is bundled in several plugins

Event Timeline

hashar created this task.Oct 11 2017, 4:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 11 2017, 4:09 PM
hashar updated the task description. (Show Details)Oct 11 2017, 4:10 PM

Mentioned in SAL (#wikimedia-operations) [2017-10-11T16:12:07Z] <hasharAway> Upgrading Jenkins CI T177962

Installed on contint1001/contint2001 from http://pkg.jenkins-ci.org/debian-stable/binary/jenkins_2.73.2_all.deb

@MoritzMuehlenhoff could you upload it to apt.wikimedia.org please? reprepro should be able to handle all the magic.

Then we would want an apt-get upgrade on releases1001.eqiad.wmnet and releases2001.codfw.wmnet

Mentioned in SAL (#wikimedia-operations) [2017-10-11T16:24:41Z] <hasharAway> Upgrade jenkins Maven integration plugin to 3.0 - T177962

hashar triaged this task as High priority.Oct 11 2017, 4:43 PM
hashar moved this task from Backlog to In-progress on the Release-Engineering-Team (Kanban) board.

I've uploaded 2.73.2 to apt.wikimedia.org

hashar closed this task as Resolved.Oct 11 2017, 7:28 PM
hashar added a subscriber: Dzahn.

21:27:51 <@Dzahn> !log releases2001 - upgraded jenkins to 2.73.2, kept existing config (vs overwriting with package config)

:)

Mentioned in SAL (#wikimedia-operations) [2017-10-11T19:29:24Z] <mutante> releases1001 - same as 2001, upgraded jenkins to 2.73.2, kept existing config (T177962)

Dzahn added a comment.Oct 11 2017, 8:09 PM

19:20 mutante: apt: reprepro copy stretch-wikimedia jessie-wikimedia jenkins