<!DOCTYPE html> <html lang='en'> <head> <title> How We Fix Security Issues </title> <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'> <meta content='Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software' name='description'> <meta charset='utf-8'> <meta content='width=device-width, initial-scale=1' name='viewport'> <meta content='ie=edge' http-equiv='x-ua-compatible'> <link href='https://www.jenkins.io/security/fixing/' rel='canonical'> <!-- Favicons --> <link href='/favicon.ico' rel='shortcut icon' type='image/x-icon'> <link href='/apple-touch-icon.png' rel='apple-touch-icon' sizes='180x180'> <link href='/favicon-32x32.png' rel='icon' sizes='32x32' type='image/png'> <link href='/favicon-16x16.png' rel='icon' sizes='16x16' type='image/png'> <link href='/site.webmanifest' rel='manifest'> <link color='#5bbad5' href='/safari-pinned-tab.svg' rel='mask-icon'> <meta content='#2b5797' name='msapplication-TileColor'> <meta content='#ffffff' name='theme-color'> <meta content='How We Fix Security Issues' name='apple-mobile-web-app-title'> <!-- Twitter Card data --> <meta content='summary_large_image' name='twitter:card'> <meta content='@JenkinsCI' name='twitter:site'> <meta content='How We Fix Security Issues' name='twitter:title'> <meta content='Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software' name='twitter:description'> <meta content='@JenkinsCI' name='twitter:creator'> <!-- Twitter Summary card images must be at least 120x120px --> <meta content='/images/logo-title-opengraph.png' name='twitter:image'> <!-- Open Graph data --> <meta content='How We Fix Security Issues' property='og:title'> <meta content='article' property='og:type'> <meta content='https://www.jenkins.io/security/fixing/' property='og:url'> <meta content='Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software' property='og:description'> <meta content='How We Fix Security Issues' property='og:site_name'> <meta content='/images/logo-title-opengraph.png' property='og:image'> <link href='/assets/bower/bootstrap/css/bootstrap.min.css' media='screen' rel='stylesheet'> <link href='/css/jenkins.css' media='screen' rel='stylesheet'> <link href='/css/copy-to-clipboard.css' media='screen' rel='stylesheet'> <link href='/stylesheets/styles.css' media='screen' rel='stylesheet'> <!-- Non-obtrusive CSS styles --> <link href='/css/footer.css' media='screen' rel='stylesheet'> <link href='/css/font-awesome.min.css' media='screen' rel='stylesheet'> <link href='https://cdn.jsdelivr.net/npm/@docsearch/css@3' rel='stylesheet'> </head> <body> <script src='/assets/bower/jquery/jquery.min.js'></script> <script src='/js/copy-to-clipboard.js'></script> <jio-navbar class='fixed-nav' id='ji-toolbar' property='https://www.jenkins.io' showSearchBox theme='auto'></jio-navbar> <script> window.addEventListener('DOMContentLoaded', function () { for (var i = 1 ; i <= 6 ; i ++) { anchors.add('.container .row .col-lg-9 h' + i); } }) </script> <div class='container'> <div class='row body'> <div class='col-lg-3'> <div class='sidebar-nav tour'> <p> <a href="/security/" class="">Jenkins Security Home</a> </p> <strong> For Administrators </strong> <ul> <li> <a href="/security/for-administrators/" class="">Overview</a> </li> <li> <a href="/security/advisories/" class="">Security Advisories</a> </li> <li> <a href="/security/issues/" class="">Security Issues</a> </li> <li> <a href="/security/scheduling/" class="">Advisory Schedule</a> </li> <li> <a href="/security/plugins/" class="">Vulnerabilities in Plugins</a> </li> <li> <a href="/security/fixing/" class="active">How We Fix Security Issues</a> </li> </ul> <strong> For Reporters </strong> <ul> <li> <a href="/security/reporting/" class="">Reporting Vulnerabilities</a> </li> <li> <a href="/security/cna/" class="">Jenkins CNA</a> </li> </ul> <strong> For Maintainers </strong> <ul> <li> <a href="/security/for-maintainers/" class="">Overview</a> </li> <li> <a href="/security/plugins/" class="">Vulnerabilities in Plugins</a> </li> </ul> <strong> Jenkins Security Team </strong> <ul> <li> <a href="/security/team/" class="">About</a> </li> <li> <a href="/security/improvements/" class="">Contributions</a> </li> </ul> </div> </div> <div class='col-lg-9'> <h1> How We Fix Security Issues </h1> <div class="paragraph"> <p>These guidelines explain the considerations the Jenkins security team applies during security fix development. They will generally hold true for any security fixes developed by the Jenkins security team, and plugin maintainers are encouraged to follow these guidelines as well.</p> </div> <div class="sect2"> <h3 id="minimal"><a class="anchor" href="#minimal"></a>Minimal</h3> <div class="paragraph"> <p>Given the choice between a simple and obviously correct fix and a larger overhaul/redesign, we choose the former. Since security fixes undergo only limited manual testing before publishing, it&#8217;s safer to postpone larger changes until after the security issue has been addressed and to deliver them afterwards as a regular enhancement. While it&#8217;s annoying for administrators to have to downgrade a regular release because of a regression, having to choose between a secure and a functioning release is much worse.</p> </div> </div> <div class="sect2"> <h3 id="independently-released"><a class="anchor" href="#independently-released"></a>Independently released</h3> <div class="paragraph"> <p>Security updates in plugins should not pick up whatever changes on the default branch are still unreleased. This would increase the risk of regressions that force administrators to choose between a functional and a secure configuration. Security fixes should be developed against the latest release. Security updates should only contain security fixes, and no other changes.</p> </div> <div class="paragraph"> <p>For Jenkins (core), we apply the same rule to weekly releases: The only changes delivered in those will be security-related. In the case of LTS releases, we deliver regular bug fixes and improvements and security fixes in the same releases. This rarely results in problems, as bug fixes and improvements are well-tested before being backported into LTS.</p> </div> </div> <div class="sect2"> <h3 id="tested"><a class="anchor" href="#tested"></a>Tested</h3> <div class="paragraph"> <p>Security fixes by the Jenkins security team will have corresponding autotests confirming they work as expected.</p> </div> <div class="admonitionblock note"> <table> <tr> <td class="icon"> <i class="fa icon-note" title="Note"></i> </td> <td class="content"> This also means that in many cases, fixes for vulnerabilities include test code that can be considered proof-of-concept exploits. We believe that the advantages of confirming that security fixes work, and remain working in the future, outweigh the downsides of giving attackers a slight advantage. </td> </tr> </table> </div> </div> </div> </div> </div> <script src='/assets/bower/anchor-js/anchor.min.js'></script> <script src='/assets/bower/@popperjs/core/umd/popper.min.js'></script> <script src='/assets/bower/bootstrap/js/bootstrap.min.js'></script> <script src='https://cdn.jsdelivr.net/npm/lit@3.2.1/polyfill-support.js'></script> <script src='https://cdn.jsdelivr.net/npm/@webcomponents/webcomponentsjs@2.8.0/webcomponents-loader.js'></script> <script data='ionicons' defer='' src='https://cdnjs.cloudflare.com/ajax/libs/ionicons/7.4.0/ionicons/ionicons.esm.js' type='module'></script> <script data='ionicons' defer='' nomodule='' src='https://cdnjs.cloudflare.com/ajax/libs/ionicons/7.4.0/ionicons/ionicons.js'></script> <script defer='' src='https://cdn.jsdelivr.net/npm/@jenkinsci/jenkins-io-components/+esm' type='module'></script> <script defer='' nomodule='' src='https://cdn.jsdelivr.net/npm/@jenkinsci/jenkins-io-components/'></script> <jio-footer githubBranch='master' githubRepo='jenkins-infra/jenkins.io' property='https://www.jenkins.io' reportAProblemTemplate='4-bug.yml' sourcePath='content/security/fixing.adoc'></jio-footer> <script> $(function(){ var $body = $(document.body); $body.on("keydown", function(){ $body.removeClass("no-outline"); }) const updateTheme = () => { const dark = window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches; document.documentElement.dataset.theme = dark ? "dark" : ""; } updateTheme(); window.matchMedia('(prefers-color-scheme: dark)').addEventListener('change', updateTheme); }) </script> </body> </html>