🔒 Security

Fix SECURITY-3257

🐛 Bug fixes

• JENKINS-70208 : downstreamPipelineTriggerRunListener Performance (#567) @aubelix

Full Changelog: https://github.com/jenkinsci/pipeline-maven-plugin/compare/pipeline-maven-3.11.1...pipeline-maven-3.11.2

🐛 Bug fixes

• Revert public API changes introduced by JENKINS-68741 - Build dependencies are recorded several times in database (#455) @bguerin

Full Changelog: https://github.com/jenkinsci/pipeline-maven-plugin/compare/pipeline-maven-3.11.0...pipeline-maven-3.11.1

🔒 Security Release

Stored XSS vulnerability in upstream cause in Pipeline Maven Integration Plugin

SECURITY-1976 / CVE-2020-2256

Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build causes.

2020-08-12 Security release

https://www.jenkins.io/security/advisory/2020-08-12/

Missing permission check in Pipeline Maven Integration Plugin allows enumerating credentials IDs

SECURITY-1794 (1) / CVE-2020-2233

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline Maven Integration Plugin 3.8.3 requires the appropriate permissions.

CSRF vulnerability and missing permission check in Pipeline Maven Integration Plugin allow capturing credentials

SECURITY-1794 (2) / CVE-2020-2234 (permission check), CVE-2020-2235 (CSRF)

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in a method implementing form validation.

This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Pipeline Maven Integration Plugin 3.8.3 requires POST requests and Job/Configure permission for the affected form validation method.

• JENKINS-59583 JunitTestsPublisher: Also set stage result
• JENKINS-59725 Bump to HikariCP 3.4.1
• JENKINS-57794 recommend to install the "MySQL API Plugin" / "PostgreSQL API Plugin" when the JDBC driver class is not found
• JENKINS-60253 Validate Pipeline Maven Plugin with PostgreSQL 12

• JENKINS-58811 Downstream pipelines are not triggered when using the Authorize Project Plugin
  • JENKINS-58784 adapt withMaven downstream pipeline trigger to be compatible with JENKINS-22949 (Authorize Project Plugin...)

• JENKINS-57543 Support PostgreSQL database
• JENKINS-57813 Bump jenkins-core dependency to 2.138
• JENKINS-57794 use the mysql-api-plugin to load the mysql-java-connector

• JENKINS-57543 Support PostgreSQL database
• JENKINS-57605 Use the "H2 API Plugin" to load H2

(i) The Pipeline Maven Plugin now needs to install the "H2 API Plugin". It is done transparently if the master is connected to the Internet

JENKINS-57543 Support PostgreSQL database
JENKINS-57605 Use the "H2 API Plugin" to load H2
Download URL: https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/pipeline-maven/3.7.0-beta-1/pipeline-maven-3.7.0-beta-1.hpi

• JENKINS-57543 Support PostgreSQL database
• JENKINS-57605 Use the "H2 API Plugin" to load H2

Download URL: https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/pipeline-maven/3.6.15-beta-1/pipeline-maven-3.6.15-beta-1.hpi

• JENKINS-54038 support multiple jacoco reports
• JENKINS-57483 Bump H2 to 1.4.199
• JENKINS-56666 fix for qoomon/maven-git-versioning-extension

JENKINS-57332 fix mix of artifact.version and artifact.baseVersion in PipelineMavenPluginDao#getGeneratedArtifacts()

JENKINS-56666 maven-git-versioning-extension causes warnings due to temporary pom.xml file name '.git-versioned.pom.xml'

• Fix NPE in PipelineTriggerService.java

• JENKINS-57145 Reduce message length when withMaven(){...} is running in docker.image("").inside{...}
• JENKINS-57144 Fix cod snippet generator bug for tempBinDir
• JENKINS-56232 mavenLocalRepo: support absolute folder path in addition to relative folder path

• JENKINS-56044 Merge publishers (junit) with the same filename pattern
• JENKINS-55889 Support tycho-surefire-plugin tests
• JENKINS-56246 on MySQL, support up to 100 chars on the maven_artifact.version column
• JENKINS-56228 fixed build being triggered multiple times.

• JENKINS-56044 Merge publishers (junit) with the same filename pattern
• JENKINS-55889 Support tycho-surefire-plugin tests
• JENKINS-56246 on MySQL, support up to 100chars on the maven_artifact.version column
• [JENKINS-56228] fixed build being triggered multiple times.

Download https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/pipeline-maven/3.6.8-beta-2/pipeline-maven-3.6.8-beta-2.hpi

• JENKINS-56044 Merge publishers (junit) with the same filename pattern
• JENKINS-55889 Support tycho-surefire-plugin tests
• JENKINS-56246 on MySQL, support up to 100chars on the maven_artifact.version column

Download: https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/pipeline-maven/3.6.8-beta-1/pipeline-maven-3.6.8-beta-1.hpi

JENKINS-55566 Only one downstream pipeline per parent pom dependency is triggered