[SECURITY-2394] Prevent XXE

[a-st]

Potential fix for XXE vulnerability in Performance Plugin (SECURITY-2394 / CVE-2021-21701)

[michal-sujkowski]

@artem-fedorov When do you plan to make a release with that fix?

[rpionke]

@daniel-beck can you file a release to get this security fix released?

[daniel-beck]

I am not a maintainer, never have been.

[rpionke]

I know, but you created a security fix related release in the past. So i thought you can do it again.

[michal-sujkowski]

Any update on releasing this?

[zdenek-jonas]

I am waiting for the release too. Please do it.

[msymons]

A JIRA issue has been logged requesting that this fix be released... JENKINS-69026

[gonchik]

+1
I am waiting for the release too. Please do it.

[faandg]

@basil this CVE was patched 8 months ago but people are still waiting for a release...
Is this something you can do please? Or notify someone who can?

[basil]

I am not a maintainer of this plugin. See this page.

[NathanAZaks]

@artem-fedorov @manolo Hi Artem and Manuel, I saw you were maintainers on Jenkins.io. Could you please create a new release for this which includes the XXE fix? Thanks!

[msymons]

@a-st , thank you very much for talking care of the release that addreses the vulnerability. However, as I have documented on JENKINS-69026, Jenkins is still warning that the vulnerability is still present.

[a-st]

@msymons You're welcome! There's a PR pending (jenkins-infra/update-center2#683) which will take care of removing the warning.