[Ci-users] Jenkins SafeRestart to add extra CSRF Protection 19-Apr-2016 14h30 UTC (09h30 EDT)

Tue Apr 19 13:54:26 UTC 2016
Brian Stinson <bstinson at redhat.com>

Hi Folks,

In response to news of directed attacks against public Jenkins
instances[0], we are enabling some of the CSRF protections in ci.centos.org

To do this we will issue a SafeRestart at 14:30 UTC Today! Running jobs
will be given a chance to clear and new jobs should be queued up and
will execute as soon as the restart finishes. 

Potential Impact:
- If you are using the Jenkins REST interface you may need to modify
  your scripts to send the appropriate headers[1]

- Jenkins Job Builder is tracking an issue to enable CSRF support[2].
  Some basic tests were performed on our side, and simple jobs were
  configured correctly, but you may notice strange behavior if you are
  using JJB.

[0]: https://groups.google.com/d/topic/jenkinsci-advisories/lJfvDs5s6bk
[1]: https://wiki.jenkins-ci.org/display/JENKINS/Remote+access+API#RemoteaccessAPI-CSRFProtection
[2]: https://storyboard.openstack.org/#!/story/2000556

If you have any questions or comments, let us know here or find one of
us in #centos-devel on Freenode.

Brian Stinson
CentOS CI Infrastructure Team