更新 Jenkins 插件的问题
Issues updating Jenkins Plugins
我在 Jenkins 版本 2.176 上使用独立 war。
然后我在这里收到了插件的安全漏洞警报:https://jenkins.io/security/advisory/2020-03-09/
然后我决定更新 Jenkins,所以我下载并使用最新版本启动 Jenkins:Jenkins ver. 2.224
然后我更新了所有插件并重新启动。
但是,在监控下,我看到了两条通知。
第一条通知说:
"You have data stored in an older format and/or unreadable data."
第二个通知说:
"Warnings have been published for the following currently installed
components."
Build Pipeline Plugin 1.5.8 Stored XSS vulnerability Environment
Injector Plugin 2.3.0 Exposure of sensitive build variables stored by
EnvInject 1.90 and earlier
在插件更新选项卡下,我没有找到任何要更新的插件!!
你能建议我如何克服这两个问题吗?
截至今天,没有可用的易受攻击插件的新版本。
对于环境注入器插件漏洞:
To prevent the further exposure of sensitive build variables, we
recommend that you take the following steps if you are affected by
this:
- Disable the visualization of Injected Environment variables in the
global configuration. After this change the data will be accessible
only to those ones who have access to raw build.xml files. This is a
reversible action that can be applied immediately, and can be reverted
once you’ve purged the data on disk (below).
- Remove the sensitive data
from disk by manually removing corresponding entries from
injectedEnvVars.txt files, or deleting the injectedEnvVars.txt files
in old build directories.
- Rotate all secrets that have potentially
been exposed
我在 Jenkins 版本 2.176 上使用独立 war。
然后我在这里收到了插件的安全漏洞警报:https://jenkins.io/security/advisory/2020-03-09/
然后我决定更新 Jenkins,所以我下载并使用最新版本启动 Jenkins:Jenkins ver. 2.224
然后我更新了所有插件并重新启动。
但是,在监控下,我看到了两条通知。
第一条通知说:
"You have data stored in an older format and/or unreadable data."
第二个通知说:
"Warnings have been published for the following currently installed components."
Build Pipeline Plugin 1.5.8 Stored XSS vulnerability Environment Injector Plugin 2.3.0 Exposure of sensitive build variables stored by EnvInject 1.90 and earlier
在插件更新选项卡下,我没有找到任何要更新的插件!!
你能建议我如何克服这两个问题吗?
截至今天,没有可用的易受攻击插件的新版本。
对于环境注入器插件漏洞:
To prevent the further exposure of sensitive build variables, we recommend that you take the following steps if you are affected by this:
- Disable the visualization of Injected Environment variables in the global configuration. After this change the data will be accessible only to those ones who have access to raw build.xml files. This is a reversible action that can be applied immediately, and can be reverted once you’ve purged the data on disk (below).
- Remove the sensitive data from disk by manually removing corresponding entries from injectedEnvVars.txt files, or deleting the injectedEnvVars.txt files in old build directories.
- Rotate all secrets that have potentially been exposed