[kohsuke]

I'm from the Jenkins project.

I wish the authors of this post gave us a heads up beforehand. It put our users at unnecessary risk.

At Jenkins project, We've published a mitigation script (https://jenkins-ci.org/content/mitigating-unauthenticated-re...) while we work out a better fix for users.

[wglb]

It seems that users have already been at unnecessary risk, given In fact, even though proof of concept code was released OVER 9 MONTHS AGO, none of the products mentioned in the title of this post have been patched, along with many more.

[needusername]

Has anybody reported anything? The commons project seems to have been made aware of this just this weekend through third parties. If nobody reported anything no wonder it didn't get fixed.

[wglb]

See the talk given in January http://frohoff.github.io/appseccali-marshalling-pickles/

[paulddraper]

Geez. That sucks.

I guess they really wanted those minutes of fame.