CloudBees Jenkins Distribution 2.249.3.3 Revision 2

2 minute read

RELEASED: 2020-11-20

Based on Jenkins LTS2.249.3-cb-2

Rolling release

Upgrade notes

If upgrading from a rolling release older than 2.249.1.2, customers may experience technical difficulties. CloudBees ensures compatibility only between supported versions of the product and recommends upgrading early and often to avoid these difficulties. If you are having difficulties upgrading, contact CloudBees Support for assistance.

CloudBees Role-Based Access Control Plugin

With this upgrade, for security reasons, we are disabling the ability to configure RBAC groups and role filters at the views level.

See CloudBees Role-Based Access Control Plugin 5.42 for more information about the security vulnerability.

This change means that any previous groups or role filters created in a view will not be applied and you will not be able to configure them.

This update only affects the views themselves, not the items within them. Previous permissions applied to the items are still enforced.

If you were filtering roles on views before this upgrade, these filters will no longer work, so your users may have a more permissive permission scheme on the views.

CloudBees recommends running this script in your script console to determine if you have a configuration on your instance that will be affected by this change.

If you do have a configuration that will be affected by this change, you have two options:

  1. (CloudBees recommended approach) Recreate each view inside a folder and apply the RBAC configuration to the folder. The folder RBAC configuration is propagated to the view since it is inside the folder.

  2. Enable RBAC configuration on views by setting the system property nectar.plugins.rbac.groups.ViewProxyGroupContainer=true.

    This approach is not recommended for security reasons.

Revisions

Revision 2 (2020-11-20)

In some cases, a bug in the Jenkins Pipeline: Nodes and Processes plugin prevents users with the Job/Discover permission from being able to see the build status in the build executor widget on the side panel of the Jenkins dashboard. In place of the build status, the “angry Jenkins” icon appears. (FNDJEN-3297)

The following versions of CloudBees' Jenkins-based products are affected:

  • 2.249.1.1

  • 2.249.1.2

  • 2.249.2.1

  • 2.249.2.2

  • 2.249.2.3

  • 2.249.2.4

  • 2.249.3.1

  • 2.249.3.2

  • 2.249.3.3

The following is an example Jenkins log file entry for this issue:

2020-10-06 09:13:14.910+0000 [id=1305202] WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 50acb1fe-4052-420f-b3f8-147648dbb9bd
org.apache.commons.jelly.JellyTagException: jar:file:/var/jenkins_home/war/WEB-INF/lib/jenkins-core-2.259.jar&#33;/hudson/model/View/sidepanel.jelly:75:50: <st:include> org.apache.commons.jelly.JellyTagException: jar:file:/var/jenkins_home/war/WEB-INF/lib/jenkins-core-2.259.jar&#33;/lib/hudson/executors.jelly:75:28: <j:otherwise>
Please login to access job <masked> at org.apache.commons.jelly.impl.TagScript.handleException(TagScript.java:726)

To fix this issue, apply this update.

As a workaround in the meantime, this problem will disappear if you remove the Job/Discover permission from all users and groups. This permission is only intended for configurations that grant Overall/Read permission to anonymous users and has very little benefit in other configurations.