Jenkins : Plugins affected by the SECURITY-901 fix

Several authentication related plugins do not work on Jenkins releases with the SECURITY-901 fix.

The fix requires that security realms call SecurityListener#authenticated or SecurityListener#loggedIn after successful authentication. If a security realm does not do either, sessions will be invalidated immediately, and users logged out again.

To disable this security fix when using a security realm that does not call SecurityListener as described above, set the Java system property jenkins.security.seed.UserSeedProperty.disableUserSeed to true.

Unsafe

Setting this system property will undo the additional protection provided by the security fix.

Further references

Affected plugins

The table below provides a list of plugin which were affected by the SECURITY-901 fix in Jenkins 2.150.2 and 2.160. "Status" column reflects the current state. Note that this list is not exhaustive.

If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.

PluginIssuePull requestStatus
Azure AD

https://github.com/jenkinsci/azure-ad-plugin/issues/34

https://github.com/jenkinsci/azure-ad-plugin/pull/35Fixed in 0.3.2 (2019-01-18)
Bitbucket OAuth

JENKINS-55668 - Unable to login with Bitbucket Oauth plugin after Jenkins update (2.150.2) Resolved

https://github.com/mallowlabs/bitbucket-oauth-plugin/issues/18

https://github.com/jenkinsci/bitbucket-oauth-plugin/pull/3


Fixed in 0.9 (2019-01-19)

CAS

https://github.com/fcrespel/jenkins-cas-plugin/issues/9

https://github.com/jenkinsci/cas-plugin/pull/2Fixed in 1.4.3 (2019-01-21)
CollabNet

JENKINS-55892 - CollabNet-Plugin is not compatible with SECURITY-901 fix (Upgrading to 2.160) In Review

https://github.com/jenkinsci/collabnet-plugin/pull/27PR proposed (untested), in review
Google Loginn/an/aCompatible since 1.4 (2018-05-30)
Kerberos SSO

JENKINS-55698 - SSO + CRSF causes 403 errors Resolved

https://github.com/jenkinsci/kerberos-sso-plugin/pull/13Fixed in 1.5 (2019-02-14)
Keycloak Authentication

JENKINS-55669 - Auth plugin doesn't work after upgrade to Jenkins 2.150.2 Resolved

https://github.com/jenkinsci/keycloak-plugin/pull/5

Fixed in 2.3.0 (2019-01-20)

OpenID

JENKINS-55683 - Endless loop on login when using OpenID plugin after upgrading to 2.160 / 2.150.2, preventing user authentication Resolved

https://github.com/jenkinsci/openid-plugin/pull/14

Fixed in 2.3 (2018-01-25)

OpenID Connect Authentication

JENKINS-55654 - infinite redirect loop when auth provider is oidc (after update to 2.160) Resolved

https://github.com/jenkinsci/oic-auth-plugin/issues/54

https://github.com/jenkinsci/oic-auth-plugin/pull/56

Fixed in 1.5 (2019-01-20)

Windows Negotiate SSO

JENKINS-55697 - NegotiateSSO Plugin is not compatible with SECURITY-901 FIX (Upgrading to 2.160/2.150.2) Resolved

https://github.com/jenkinsci/negotiatesso-plugin/pull/2Fixed in 1.2 (2019-03-06)