Based on Jenkins
This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees CI.
- Beekeeper plugin exceptions (FNDJEN-2567)
Beekeeper plugin exceptions provide a way to fix urgent bugs or security issues related to plugins by upgrading to a version of a plugin that is not yet available in the CloudBees Assurance Program.
See Beekeeper plugin exceptions for more information.
- The email-ext plugin and Configuration as Code (FNDJEN-2110)
This plugin is now compatible with Configuration as Code.
- Jenkins user interface updates (FNDJEN-2723, FNDJEN-2237, FNDJEN-2232, FNDJEN-2193, FNDJEN-2025, FNDJEN-2691)
As part of CloudBees' ongoing effort to update the Jenkins user interface, the following enhancements were made:
Colors were normalized in different widgets to be consistent with the new color palette.
Tables were restyled with more inner spacing to improve readability. The tables also now use colors that are consistent with the rest of the UI.
Hyperlink styles were updated.
Side panel widgets were restyled to have a more modern look.
Sidebar task list appearance and accessibility were improved.
- Warnings NG plugin included in CAP (STICKY-633)
One of the most popular Jenkins LTS plugins, Warnings Next Generation, is now part of the CloudBees Assurance Program (CAP).
Using the Warnings NG plugin greatly enriches the information surfaced through the CloudBees SCM, Slack, and Microsoft Teams Integration plugins.
While the Warnings NG plugin could be used with these plugins before, for customers who strictly use CAP plugins, it was not previously an option.
- Allow/disallow Beekeeper Plugin Exceptions (CTR-2197)
A connected master can be configured to allow/disallow Beekeeper Plugin Exceptions from the master configuration page.
- Upgraded CloudBees Fast Archiving Plugin dependencies (CTR-2281)
The parent pom dependency
org.jenkins-ci.plugins:structsis now 1.20 and
commons-netis 3.6, which are compatible with Jenkins 2.250.
- Upgraded CloudBees Request Filter Plugin dependencies (CTR-2284)
The parent pom dependency
nectar-licenseis now 8.28 which is compatible with Jenkins 2.250.
- Upgraded CloudBees RBAC Auto Configurer plugin dependencies (CTR-2279)
The parent pom dependency and
org.jenkins-ci.plugins:structsare now 1.20 which is compatible with Jenkins 2.250.
- Upgraded CloudBees Groovy View Plugin dependencies (CTR-2283)
The parent pom dependency
org.jenkins-ci.plugins:structsis now 1.20 which is compatible with Jenkins 2.250.
- Upgraded CloudBees Skip Next Build Plugin dependencies (CTR-2278)
The parent pom dependency
org.jenkins-ci.plugins:structsis 1.20 which is compatible with Jenkins 2.250.
- Upgraded CloudBees Restart Aborted Builds Plugin dependencies (CTR-2280)
The parent pom dependency
org.jenkins-ci.plugins:structsis now version 1.20 and
org.jenkins-ci:symbol-annotationis 1.20. Both are compatible with Jenkins version 2.250.
- Upgraded Notification API plugin dependencies (CTR-2285)
The Notification API plugin now uses Jenkins Configuration as Code (JCasC) version 1.40 which is compatible with Jenkins version 2.250 and above.
- Upgraded CloudBees Backup Plugin dependencies (CTR-2282)
The plugin dependency
org.jenkins-ci.plugins:structsis now compatible with Jenkins 2.250.
- [JENKINS-48837] Add
Multibranch Pipeline jobs have an option to configure Branch Property Strategies. Org folders did not support this Branch Property Strategy configuration. This prevented the child Multibranch Pipeline jobs from having Branch Property Strategies configured.
With this fix, we added the ability for Org folders to configure Branch Property Strategies for their Multibranch Pipeline children.
GitHubAppCredentialsfrom operations center on masters (CTR-2183)
With this fix, the serialization mechanism works as expected.
- Terminology update for CLI help (CTR-2250)
CloudBees has removed the "slave" term from CLI help for enable-agent-trader, replacing it with "agent".
- Remove deprecated slave commands (CTR-226)
CloudBees removed the following deprecated CLI commands:
Use their agent replacement CLI commands:
- Master configuration page not properly displaying Plugin Catalog configuration (CTR-2349)
The master configuration page was not properly displaying the status for the Plugin Catalog configuration.
With this fix, the master configuration page displays the correct status for Plugin Catalogs.
- Move/Copy of Multibranch does not copy the build files of branches with names with symbols (CTR-1842)
Builds from Multibranch Pipelines created from branches with long names or containing special characters are now copied/moved.
- Wording in Configure Global Security refers to Client Masters instead of connected masters (CTR-2145)
A section in Global Security has been updated to indicate the settings apply to more than just Client Masters and include any connected masters.
- JENKINS-63516: Use of password parameters with the input step broken in Jenkins 2.236+ (NGPIPELINE-1368)
Prevent changes in Jenkins 2.236 from breaking the use of password parameters with the input step.
- JENKINS-63499: Use of password parameters in the Declarative parameters directive broken in Jenkins 2.236+ (NGPIPELINE-1370)
Prevent changes in Jenkins 2.236 from breaking the use of password parameters with the parameters directive.
- Environment variables textbox for folders located in an incorrect place (NGPIPELINE-1221)
When using the Folder plus plugin in v220.127.116.11, the Environment variables textbox for the folder was located in an incorrect place.
We removed section headers from the Docker workflow properties and now the Environment variable textbox is located in the correct place.
- Docker workflow fails with empty string environment variable (NGPIPELINE-1351)
Empty string environment variables caused a malformed Docker run command in
With this fix, we added a check for empty key values.
- JENKINS-63164: Completed node steps restart after resuming Pipelines in some cases (NGPIPELINE-1330)
In some cases, block-scoped steps that had already completed could be persisted in serialized Pipelines, causing the already-completed steps to resume when the Pipeline resumed.
With this fix, completed block-scoped steps should no longer be persisted in the state of serialized Pipelines.
- JENKINS-62305: Password parameters cannot be used with the build step in Jenkins 2.236+ (NGPIPELINE-1331)
Password parameters no longer worked with the Pipeline build step in Jenkins 2.236 and newer.
With this fix, password parameters now work with the Pipeline build step in Jenkins 2.236 and newer.
- Detached plugins not aligned with envelope versions (PRD-2623)
Some detached plugins embedded into the WAR file were unaligned with contents of the CloudBees Assurance Program. As a result, security scans on some distributables could show false positives even if those misaligned plugins were overridden by plugins from the CloudBees Assurance Program during installation.
Detached plugins and plugins in the CloudBees Assurance Program are now aligned.
- Version 4.0 or higher of .NET Framework is required to launch controller or agents on Windows services
Starting from this release, .NET Framework 2.0 doesn’t work for launching CloudBees controller or agents as Windows services. Microsoft.NET Framework 4.0 or above is now required for using the default service management features.
This release also upgrades Windows Service Wrapper (WinSW) from 2.3.0 to 2.9.0 and replaces the bundled binary from .NET Framework 2.0 to 4.0. There are many improvements and fixes in these versions, big thanks to NextTurn and all other contributors. You can find the full WinSW changelog here, just a few highlights important to CloudBees users:
Prompt for permission elevation when administrative access is required. Now CloudBees users do not need to run the agent process as Administrator to install the agent as a service from GUI.
Enable TLS 1.1/1.2 in .NET Framework 4.0 packages on Windows 7 and Windows Server 2008 R2.
Enable strong cryptography when running .NET Framework 4.0 binaries on .NET 4.6.
Support security descriptor string in the Windows service definition.
Support 'If-Modified-Since' and proxy settings for automatic downloads.
Fix Runaway Process Killer extension so that it does not kill wrong processes with the same PID on startup.
Fix the default domain name in the
Fix archiving of old logs in the
Use-cases affected by .NET Framework 2.0 support removal
If you use .NET Framework 2.0 to run the CloudBees Windows services, the following use cases are likely to be affected:
Installing the CloudBees controller as a Windows service from Web UI. The official MSI Installer supports .NET Framework 2.0 for the moment, but it will be changed in future versions.
Installing agents as Windows services from GUI. This feature is provided by the Windows Agent Installer Module from the Jenkins core.
Installing agents over Windows Management Instrumentation (WMI) via the WMI Windows Agents plugin
Auto-updating of Windows service wrappers on agents installed from GUI.
+ If all of your CloudBees controller and agent instances already use .NET Framework 4.0 or above, there are no special upgrade steps required.
+ If you run the CloudBees controller as a Windows Service with .NET Framework 2.0, this instance will require an upgrade of .NET Framework to version 4.0 or above. .NET Framework 4.6.1 or above is recommended because this .NET version provides many platform features by default (e.g. TLS 1.2 encryption and strong cryptography), and Windows Service Wrapper does not have to apply custom workarounds.
+ If you want to continue running some of your agents with .NET Framework 2.0, the following extra upgrade steps are required:
. Disable auto-upgrade of Windows Service Wrapper on agents by setting the
-Dorg.jenkinsci.modules.windows_slave_installer.disableAutoUpdate=true flag on the CloudBees controller side.
. Upgrade agents with .NET Framework 4.0+ by downloading the recent Windows Service Wrapper 2.x version from WinSW GitHub Releases and manually replacing the wrapper ".exe" files in the agent workspaces.