Wadeck Follonier
Wadeck is the Jenkins security officer, leading the security team in improving Jenkins security. He likes to provide solutions that are both useful and easy to use.
Key Takeaways JDK21 is available on the infrastructure and in official Docker images too. 💥Breaking change: set Java 17 as default for LTS. Prototype has been removed as of weekly 2.426 Contributed by: Wadeck Follonier Core security advisory published on October 18 https://jenkins.io/security/advisory/2023-10-18/ Includes an essential Jetty update that provided multiple fixes. Plugin security advisory published on October 25 https://jenkins.io/security/advisory/2023-10-25/ Multiple high score vulnerabilities in various plugins During Hacktoberfest, the Content...
Key Takeaways JDK21 is around the corner Contributed by: Wadeck Follonier A plugin security advisory was published on September 6. Security Advisory 2023-09-06 This included multiple high score vulnerabilities in various plugins. A core security advisory was published on September 20. Security Advisory 2023-09-20 Multiple vulnerabilities were corrected in core. This advisory also included fixes for a plugin. Contributed by: Mark Waite Voter registration is now open for the 2023 Jenkins...
Key Takeaways Jenkins project reports growth of 79% in Jenkins Pipeline, used to propel software delivery. Contributed by: Wadeck Follonier Andrea Chiera completed his 3 months internship within the Security team, auditing 100 plugins and finding 20+ vulnerabilities. Summer Internship in Jenkins security Thank you very much for your involvement and also to the team for mentoring him. A Plugin security advisory was published on August...
Context Jenkins is an open-source CI/CD solution that is extensible with a wide range of plugins that can be installed using the Jenkins plugin distribution repository or via manual installation. This extensibility is a powerful feature of Jenkins, but it is a critical aspect that has to be secured to avoid risks and vulnerabilities that can impact the Jenkins system. The internship took...
Key Takeaways A Jenkins Core security advisory was published on July 26 The official documentation has migrated to Java 17 Operating system end of life notifications have been added Contributed by: Wadeck Follonier During July, there were two Security Advisories published: Plugin security advisory published on July 12 Multiple high-score vulnerabilities A total of 16 plugins were affected Jenkins core and plugins security advisory published on July 26 The highest...
Key Takeaways Red Hat Enterprise Linux 7, and derivatives like CentOS 7, reach early end of life. Upgrades and improvements of Jenkins components continue with significant progress towards the eventual removal of Prototype.js from Jenkins core. Thanks to a kind donation from Launchable, pull requests to Jenkins core now complete their evaluation builds in 2 hours rather than the 6 hours that were...
Key Takeaways Jenkins plugin updates released to fix security vulnerabilities, advisory published on May 16. JDK8 support has been dropped in favor of JDK11 as the default for running Jenkins agents. Ssh-agent release 5.0.0 introduces breaking changes. Contributed by: Wadeck Follonier A Security Policy was added for the Docker images of the project. Due to multiple reports about CVEs present in the Docker images the project...
Key Takeaways There was one security advisory this month announcing vulnerabilities regarding Jenkins plugins. Cloud Cost Controls with improved resource cleanups and VM usage optimization to face the increased rate of builds on ci.jenkins.io. Thanks to DigitalOcean for their continued support and ($8,400 credit) sponsorship of Jenkins. Ppc64le docker agent images are now available. Jenkins at cdCon + GitOpsCon! Contributed by: Wadeck Follonier In April, there was...
A remote code execution vulnerability has been identified in the Spring Framework. This vulnerability is identified as CVE-2022-22965. Spring officially reacted early in an early announcement. SpringShell in Jenkins Core and Plugins The Jenkins security team has confirmed that the Spring vulnerability is not affecting Jenkins Core. There is no impact because we are using Stapler as a servlet, and neither Spring MVC nor Spring...