Jenkins plugins security advisory 2023-01-24

[richardlau]

The following Jenkins plugin updates contain fixes for security vulnerabilities:

• Azure AD Plugin 306.va_7083923fd50
• Bitbucket OAuth Plugin 0.13
• Gerrit Trigger Plugin 2.38.1
• Kubernetes Credentials Provider Plugin 1.209.v862c6e5fb_1ef
• OpenId Connect Authentication Plugin 2.5
• Orka by MacStadium Plugin 1.32
• Script Security Plugin 1229.v4880b_b_e905a_6
• Semantic Versioning Plugin 1.15

Additionally, we announce unresolved security issues in the following plugins:

• BearyChat Plugin
• Cisco Spark Notifier Plugin
• GitHub Pull Request Builder Plugin
• GitHub Pull Request Coverage Status Plugin
• JIRA Pipeline Steps Plugin
• Keycloak Authentication Plugin
• MSTest Plugin
• OpenID Plugin
• PWauth Security Realm Plugin
• RabbitMQ Consumer Plugin
• TestComplete support Plugin
• TestQuality Updater Plugin
• view-cloner Plugin
• visualexpert Plugin

Please see the advisory for more information:
https://www.jenkins.io/security/advisory/2023-01-24/

[richardlau]

Of these we're only using the Script Security Plugin. I've updated it on both the test and release servers.
The test CI server has been restarted.
Release CI will restart when current builds have completed.

[richardlau]

FWIW we had to revert the update of this plugin: #3159
Plan is to update it again when we update Jenkins to the current LTS version.