Based on Jenkins
This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees CI.
- The Docker Commons plugin and Configuration as Code (FNDJEN-2152)
This plugin now supports Configuration as Code.
- The CloudBees Docker Hub/Registry Notification plugin and Configuration as Code (FNDJEN-2153)
This plugin now supports Configuration as Code.
- Security Realm
While the authorization strategy for the operations center was not case-sensitive for the username field, the Team Masters were case-sensitive and had to match exactly what was entered on the Team administration page used to add users. This meant that a user recorded in lower-case was able to sign on with upper-case letters to the operations center but was not recognized in the Team Master.
With this fix, Team Masters allow users to sign on with different character cases when using an authorization strategy that is not case sensitive for UserId or external GroupId.
ConnectedMasterping thread is not implemented (CTR-2075)
ConnectedMasterping thread is not implemented which meant that the operations center was not able to detect that a connection to a Master was broken.
With this fix, we implement the ping thread to identify and cleanup disconnected Masters.
- RBAC: Empty group members are interpreted as anonymous (CTR-786)
Modifying configuration XML files to specify a group with an empty member name was resulting in any anonymous users automatically considered members of that group.
With this fix, we now sanity check configuration files and filter out empty groups/roles.
- Broken link to RBAC group propagated from operations center (CTR-56)
On Client Masters with the Role-based access control (RBAC) Authentication Strategy enforced by operations center, the links to the member Groups on the Roles page were broken.
Now the are links direct the user to the Group configuration in operations center.
- Move/Copy/Promote Copy with builds dropdown is not easily accessible (CTR-2158)
Recent UI updates in Jenkins core caused the Copy with builds button dropdown to be less accessible, only appearing when users selected a small section of the button.
With this fix, we split the button in two separated buttons: Copy with builds and Copy without builds.
- RBAC CLI command result in NOOP at master’s root (CTR-1439)
When a Master is connected to operations center and the security realm is pushed from operations center, then RBAC groups and roles operations at Master root are not permitted, as those groups and roles come from operations center.
With this fix, RBAC groups and roles operations at Master root are still not permitted, but return a better message to the user indicating the situation.
- RBAC Groups REST API fails when accessed from a connected Master item (CTR-535)
OC_URL/jobs/[master_name]/groups/api/jsonan error is shown in the UI.
With this fix, the groups and roles created at item level are correctly returned by the HTTP API.
/groupspage is slow when groups have lots of users or the database is slow (CTR-1530)
The load time of the global Groups page was slow when a group had a large number of members.
With this fix, we reduced the amount of data retrieved to render this view.
- Deadlock issue in
There was an issue with
com.cloudbees.opscenter.server.rbacthat produced a deadlock.
When there were a large amount of Masters with read permissions, an issue was occurring with the alerter of licensing issues that caused a deadlock. With this fix, the issue that was causing the deadlock is no longer a problem.
- Thread contention in Agent page using custom probe command (CTR-2137)
Using the CloudBees Nodes Plus plugin custom probe command in agents may have caused thread contention if the script required a lengthy amount of time running checks.
With this fix, CloudBees has fixed the thread contention issue so that queued threads block waiting for the result of the probe command, ending with all Jenkins dashboard rendering pages blocked.
- Fix a memory leak on RBAC node containers (CTR-979)
There was a memory leak when a high number of nodes were created and deleted (a common behavior when using clouds to provision ephemeral agents). Node objects were not properly collected by the JVM Garbage Collector.
With this fix, node objects are now stored in a cache with weak keys, so entries are properly garbage collected. Item listeners have been also added, so cache entries are invalidated when items are deleted in Jenkins.
- Errors on startup: "The queue was not initialized, the action (enqueue or shutdown) will not take place." (FNDJEN-2037)
The CloudBees Analytics Plugin populated the log when the initialization didn’t finish before sending an analytics message.
The message now is provided only once.
- Link to CloudBees download in Beekeeper is broken (FNDJEN-2090)
A broken link to the downloads page for our fixed line release products has been fixed.