Skip to content
This repository was archived by the owner on Dec 15, 2025. It is now read-only.

Update dependency org.jenkins-ci.plugins:github-branch-source to v2.3.5 [SECURITY]#3

Open
rinus wants to merge 1 commit into
masterfrom
renovate/maven-org.jenkins-ci.plugins-github-branch-source-vulnerability
Open

Update dependency org.jenkins-ci.plugins:github-branch-source to v2.3.5 [SECURITY]#3
rinus wants to merge 1 commit into
masterfrom
renovate/maven-org.jenkins-ci.plugins-github-branch-source-vulnerability

Conversation

@rinus

@rinus rinus commented Dec 15, 2025

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
org.jenkins-ci.plugins:github-branch-source test minor 2.2.3 -> 2.3.5

GitHub Vulnerability Alerts

CVE-2018-1000185

A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 23.5, this form validation method requires POST requests and the Overall/Administer permission.

Release Notes

jenkinsci/github-branch-source-plugin (org.jenkins-ci.plugins:github-branch-source)

v2.3.5

Release date: 2018-06-04

v2.3.4

Release date: 2018-04-20

v2.3.3

Release date: 2018-03-14

  • JENKINS-49945: PR matching regex can never match strategies
  • Switched default forked PR trust strategy from Contributors to
    the more secure From users with Admin or Write permission,
    adding warnings in the UI about insecure strategies.
  • Reduction in log noise.

v2.3.2

Release date: 2017-12-18

  • JENKINS-36574: Allow extension plugins to control the notification context (contributed
    by Steven Foster)
  • JENKINS-47585: Add support for lightweight changelog
  • JENKINS-48035: GitHub Webhook is not created right after saving the job
  • Do not throw away stack trace for some chained exception failure
    modes (PR#159)
  • Update baseline GitHub API dependency to version that fixes the
    ID > Integer.MAX_VALUE overflow
    (08b3d32)

v2.3.1

Release date: 2017-11-09

  • JENKINS-47902: The addition of tag support in 2.3.0 also
    included changes that removed the need for a clone of the repository to master with some code paths using pipeline
    shared libraries. The fix code did not include the fix for JENKINS-47824. This regression is now fixed on top of
    tag support.

v2.3.0

Release date: 2017-11-07

Feature

  • JENKINS-34395: Add
    support for discovery of tags.

    This feature adds a new "Discover Tags" behaviour which, when added will discover tags. With this feature there
    are now three types of things that can be discovered: branches, pull requests and tags.

    When used with the Branch API plugin, tags will show up as a
    new category. The default configuration of Branch API will not trigger builds for tags automatically.

    This is by design, as one of the use-cases for tag discovery is to use the tag job to perform deployment. If tags
    were built automatically, given that the order in which the tag jobs actually execute is undefined, the automatic
    build could cause significant issues. Branch API does provide a mechanism to control what gets built automatically
    (known as the BranchBuildStrategy) but that cannot be configured until you have at least one extension plugin
    that provides a BranchBuildStrategy.

    If you want tags to build automatically, you will need an extension plugin for Branch API that implements at least
    one BranchBuildStrategy, see
    AngryBytes/jenkins-build-everything-strategy-plugin
    for a prototype example of such an extension plugin.

v2.2.6

Release date: 2017-11-04

  • JENKINS-47824: When using GitHub as a Modern SCM for shared
    pipeline libraries, tag revisions did not work.

v2.2.5

Release date: 2017-11-01

  • JENKINS-47775: Fix optimized event processing of PRs that
    have been closed.

v2.2.4

Release date: 2017-10-20

  • JENKINS-46967: Upgrade parent POM and upgrade the baseline
    for github-branch-source
  • PR#161: github.getRepository
    expects 'org/repo' format
  • PR#151: Upgrade Credentials plugin to 2.1.15
  • JENKINS-46449: NPE on build PR head revision
  • JENKINS-46203: Add a LICENSE file to github repo
  • JENKINS-46295: Event handling could blow up where a query
    optimization is attempted for a deleted branch
  • JENKINS-46364: GitHub Branch Source Plugin can't create
    status if credential restricted by spec

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rinus