Hi Folks,
In response to news of directed attacks against public Jenkins instances[0], we are enabling some of the CSRF protections in ci.centos.org
To do this we will issue a SafeRestart at 14:30 UTC Today! Running jobs will be given a chance to clear and new jobs should be queued up and will execute as soon as the restart finishes.
Potential Impact: - If you are using the Jenkins REST interface you may need to modify your scripts to send the appropriate headers[1]
- Jenkins Job Builder is tracking an issue to enable CSRF support[2]. Some basic tests were performed on our side, and simple jobs were configured correctly, but you may notice strange behavior if you are using JJB.
[0]: https://groups.google.com/d/topic/jenkinsci-advisories/lJfvDs5s6bk [1]: https://wiki.jenkins-ci.org/display/JENKINS/Remote+access+API#RemoteaccessAP... [2]: https://storyboard.openstack.org/#!/story/2000556
If you have any questions or comments, let us know here or find one of us in #centos-devel on Freenode.
Cheers! -- Brian Stinson CentOS CI Infrastructure Team