Bug 1972361 - Bump jenkins version to 2.289.1
Summary: Bump jenkins version to 2.289.1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.7
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.7.z
Assignee: Akram Ben Aissi
QA Contact: Jitendar Singh
URL:
Whiteboard:
: 1891693 1972088 (view as bug list)
Depends On: 1972354
Blocks: CVE-2020-27216 CVE-2020-27218 CVE-2020-27223 CVE-2021-28169 1972366 CVE-2021-34428
TreeView+ depends on / blocked
 
Reported: 2021-06-15 17:50 UTC by Akram Ben Aissi
Modified: 2023-09-15 01:09 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1972354
: 1972366 (view as bug list)
Environment:
Last Closed: 2021-08-17 12:12:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift jenkins pull 1281 0 None open Bug 1972361: Bump jenkins version 2.289.1 2021-08-05 11:54:04 UTC
Red Hat Product Errata RHBA-2021:3032 0 None None None 2021-08-17 12:12:50 UTC

Description Akram Ben Aissi 2021-06-15 17:50:01 UTC 
+++ This bug was initially created as a clone of Bug #1972354 +++

+++ This bug was initially created as a clone of Bug #1972351 +++

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Daniel Del Ciancio 2021-06-16 20:40:34 UTC 
Just an update on this matter.  The customer has reached out to me earlier today and there it seems there has been a misunderstanding in the cause of the issue.
The problem was not caused by a bad Jenkins image published by Red Hat, but instead, by a custom plugin dependency that the customer had introduced into their custom Jenkins starter kit image.

As part of the Jenkins starter kit image, custom plugins were being added, however, the "latest" version of these plugins were being installed.  This caused newer versions of any dependent plugins to be downloaded, however, there is no guarantee that these plugins are compatible with the version of Jenkins we provide.

This means that there is no urgent need to bump up the Jenkins version.  I have asked the customer to pin to a specific Jenkins version as well as pin any associated custom plugins so that both remain compatible with one another.

I was wondering if there could be any plugin upgrade validation that could prevent upgrading to a plugin version that is incompatible with the underlying Jenkins version?
Comment 3 Adam Kaplan 2021-06-28 15:28:43 UTC 
*** Bug 1891693 has been marked as a duplicate of this bug. ***
Comment 5 Adam Kaplan 2021-08-03 21:45:24 UTC 
Downgrading the severity of this to "Medium" to conform with our Bugzilla standards

- Bumping Jenkins will address CVEs with medium severity/"Moderate" impact score.
- Priority is "High" to reflect aggregate importance of addressing CVEs.
Comment 9 Jitendar Singh 2021-08-09 13:00:31 UTC 
VERIFIED.
Comment 11 errata-xmlrpc 2021-08-17 12:12:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.24 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3032
Comment 12 jawed 2021-09-21 12:59:54 UTC 
*** Bug 1972088 has been marked as a duplicate of this bug. ***
Comment 13 Red Hat Bugzilla 2023-09-15 01:09:55 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.