|[technology-pmc] Hudson 3.1 release|
|PMC Mambers - I thank Wayne for kicking things off in relation to Hudson 3.1 Release Review:|
In the interests of full disclosure I wanted to make you aware of an issue that I've just added to the Security section of the document. This is an (legacy) issue documented in Bug 412488 which illustrates the potential for user impersonation in the Hudson Web UI under a particular set of circumstances if the Hudson app is deployed in the unsecured HTTP mode on an untrusted network. We have a plan in place to address this issue but this additional hardening involves some significant library upgrades and so is scheduled for 3.2.0. In the short term there are simple workarounds (which also happen to be best practice) which I'm documenting in the release notes now.
Hopefully this will not effect your judgement on the release. We're hoping to squeeze this out in time for JavaOne…
Back to the top