| [hudson-dev] Critical Hudson Vulnerability |
| Hi Hudson Developers, I have found a severe security bug in Jenkins that turned out to occur in Hudson as well. Particularly, it’s a XXE leading to arbitrary file disclosure, it was already reported to the developers of Jenkins and I was made aware that it’s present in Hudson as well, so I wanted to let you know about it. Not knowing that it would be posted to the public, I posted a bug in the bug tracker, you can find it at https://bugs.eclipse.org/bugs/show_bug.cgi?id=458312 (I am deeply sorry that I didn’t notice the lack of a “non-public” option). I tried to hide the report by downgrading it’s importance to “enhancement” and changing the title to something less suspicious, though I didn’t find a way to remove or edit the comment containing detailed information about the bug. I’d be glad if you could (at least for the moment, as long as it’s unfixed) delete everything related to the bug report as soon as possible. Best regards and sorry again, Fabi |