Backporting for 2.479.3 LTS - part 2 #10103
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backporting for 2.479.3 LTS (part 2)
Latest core version:
jenkins-2.492
(unreleased)The pull request to the master branch has been merged for inclusion in the 7 Jan 2025 release of Jenkins 2.492.
The Apache MINA core library has reported CVE-2024-52046, an issue for MINA users that use
ioBuffer.getObject()
. Jenkins is not affected by the issue, but software composition analysis tools will report it as a vulnerability and we'll spend time explaining that Jenkins is not vulnerable.Let's backport the change to the stable-2.479 line so that it can be part of Jenkins 2.479.3
This is an exception to the policy that we only backport to an LTS after a change has been merged to the Jenkins weekly release. I think this exception should be approved so that we reduce the amount of time that the Jenkins security team must spend explaining that Jenkins is not vulnerable to this issue. It is simpler to include the updated library plugin than to spend time explaining why this is not an issue.
Changes included in this upgrade are:
Testing done
I've been using the updated API plugin in my Jenkins controller since shortly after it was released. I've used the preceding releases in Jenkins LTS and in Jenkins weekly releases. No issues detected in any of those cases.
Proposed changelog entries
Proposed upgrade guidelines
N/A
Submitter checklist
Desired reviewers
@olamy, @timja, @Wadeck, @daniel-beck
Before the changes are marked as
ready-for-merge
:Maintainer checklist