Red Hat Bugzilla – Bug 1516300
How to keep OCP Jenkins and plugins updated
Last modified: 2018-04-05 05:32:46 EDT
Created attachment 1357449 [details] screen shot of the jenkins Description of problem: Warning appears in the jenkins saying "New Version of jenkins (2.73.3) is available for download and jenkins 2.46.3 core and libraries" as shows in the attached screen shoot Version-Release number of selected component (if applicable): OCP 3.6 How reproducible: always Steps to Reproduce: 1. create a new app using jenkins template as show in https://docs.openshift.com/container-platform/3.6/using_images/other_images/jenkins.html 2. login in to jenkins and check activity. Actual results: Jenkins 2.46.3 core and libraries: Multiple security vulnerabilities Multiple security vulnerabilities Pipeline: Input Step 2.7: Users with read access could interact with input step by default Script Security Plugin 1.29: Unsafe entries in default whitelist Multiple sandbox bypasses Subversion Plug-in 2.7.2: CSRF vulnerability and insufficient permission checks allow capturing credentials Git plugin 3.3.0: CSRF vulnerability in Git plugin allows capturing credentials Pipeline: Build Step 2.1: Missing permission check allows building all jobs Pipeline: Groovy 2.30: Arbitrary code execution due to incomplete sandbox protection Expected results: There should be no error Additional info:
we ship new jenkins images w/ updated plugins and core jenkins versions on release boundaries. the 3.7 image will be delivered soon and move to LTS 2.73.
Hi ben, I can reproduce the bug jenkins version: registry.access.redhat.com/openshift3/jenkins-2-rhel7:latest 3a9dee18d3af steps: 1. Create jenkins apps with access registry jenkins image $ oc new-app --template=jenkins-ephemeral 2.Check the jenkins version in webconsole, pls see attachment
Created attachment 1392491 [details] jenkins manage page
Created attachment 1392497 [details] jenkins v3.7 web
about 3.7 version registry.access.redhat.com/openshift3/jenkins-2-rhel7 v3.7 ae27a01507c6 jenkins already is latest ,but had warning info see attachment 1392497 [details]
sorry, jenkins is not using latest
Let me clear my comments:> 1. v3.6 jenkins images from access and brew is not using latest version jenkins 2. v3.7 jenkins images from registry.access and brew is not using latest version jenkins 3. v3.9 jenkins image from brew is using latest jenkins 4. latest jenkins image from brew is using latest jenkins
> v3.7 jenkins images from registry.access and brew is not using latest version jenkins per my comment 4, the v3.7 image on registry.access is LTS 2.89, as expected. docker run -it registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.7 rpm -qa | grep jenkins-2 jenkins-2.89.2-1.el7.noarch registry.access.redhat.com/openshift3/jenkins-2-rhel7 v3.7 ae27a01507c6 8 days ago 1.69 GB
the only meaningful issue I see here is that the ansible installer is not currently installing version-tagged jenkins imagestreams in 3.7 (the jenkins imagestream installed by v3.7 points to "latest" instead of "v3.7"). This issue is tracking that problem: https://github.com/openshift/openshift-ansible/issues/7027 But the jenkins v3.7 image itself contains the correct jenkins version.
Yes, v3.7 image on registry.access is LTS 2.89 # docker run -it registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.7 rpm -qa | grep jenkins-2 jenkins-2.89.2-1.el7.noarch so it's expected, verified it
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0636