RELEASED: 2020-12-03
Based on Jenkins
LTS2.263.1-cb-3
Rolling release
Security advisory
Security advisory
-
CloudBees Security Advisory 2020-12-03
This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees CI.
Security fixes
- snakeyaml:1.10 dependency removed (CTR-2511)
-
The snakeyaml:1.10 library contains a known security vulnerability. With this change we are removing the dependency on that library.
- Upgraded Script Security plugin dependency (CTR-2238)
-
The Script Security groovy-sandbox library dependency was included as version 1.20 which contains vulnerabilities.
With this fix, the Script Security plugin does not include the groovy-sandbox library dependency as version 1.20.
- Plugin Usage page unprotected (FNDJEN-3225)
-
The Plugin Usage page didn’t check permissions.
The Plugin Usage page now checks that the user has Administer permissions.
- Update commons-io to 2.8 (FNDJEN-3006)
-
Commons-io v2.6 has a security vulnerability that is not exploitable from the existing code.
Commons-io has been updated to 2.8.0 to remove this vulnerability.
Feature enhancements
- Beekeeper Plugin Exceptions are now generally available (GA) (FNDJEN-3069)
-
For information about this feature, see Beekeeper plugin exceptions.
- Dependency updates
-
The following dependency updates are included with this release:
-
Update minimum required Jenkins version to the latest LTS (2.263.1) (CTR-2577)
-
CloudBees Role-Based Access Control Plugin(nectar-rbac) dependency upgraded to version 5.49 (CTR-2752)
-
The CloudBees License plugin is now compatible with jQuery 3.5.x. (CTR-2602)
-
- Update welcome screen UI - Implementation (FNDJEN-2242)
-
The Jenkins Welcome screen has been updated.
- Users with the
Overall/Managepermission can now restart and safe restart Jenkins (CTR-2527) -
Some configurations that can be set with Configuration as Code for masters may require a restart of Jenkins or are quicker when using a restart. A user with the
Overall/Managepermission can now restart Jenkins.
Resolved issues
- Build widget broken when a user has Read permission on a running Pipeline but not its parents (NGPIPELINE-1546)
-
Users with Read permission on a running Pipeline but only Discover permission on one of its parents' folders were unable to view the main Jenkins dashboard due to errors in the build widget.
The build widget now operates correctly when users have Read access to a Pipeline but not its parents.
- Fix for SECO-757 Jenkins log flooded with SSE gateway plugin-related warnings, which increase memory usage (NGPIPELINE-1507)
-
With Jenkins deployed on Tomcat, if BlueOcean users close tabs abruptly some internal queues can increase the number of Pipelines thereby generating a lot of events.
The default values of some timeouts now handle exceptions and clear queues more quickly.
- Remove jQuery and upgrade frontend toolchain on cloudbees-workflow-ui-plugin (NGPIPELINE-1432)
-
CloudBees Pipeline Stage View Extensions bundled an outdated version of jQuery, and the dialog for deleting or resuming checkpoints had broken styles when running against Jenkins 2.249 or newer.
CloudBees Pipeline Stage View Extensions no longer bundles jQuery, and the styles of the dialog for deleting or resuming checkpoints now work correctly on all versions of Jenkins.
- Performance slowdown when credentials cache file gets large (CTR-788)
-
A new cache implementation is now in
OperationsCenterCredentialsProviderto avoid credentials duplication. The cache also periodically cleans out all entries with no updates/access in the last 48 hours. - Clarify that shared configuration is available to all master types (CTR-2583)
-
With this fix, the description of the Miscellaneous Configuration Container in operations center indicates that it applies to all masters types, not just Client Masters.
- The restore of a backup fails with a digest check error when using Azure Storage (CTR-916)
-
There was an issue in backup creation when using Azure Storage that caused the backup to be created in Azure without the required digest metadata. Because the backup was created without the required digest metadata, restoring the backup would fail, as there was no digest to check integrity against it.
With this fix, the digest metadata is properly attached to the backup file and then used during the restore process.
- The inline help referenced
HUDSON_HOME(CTR-2702) -
The inline help now references
JENKINS_HOMEas expected. - Form changes: promoted-builds plugin breaks with tables-to-divs changes (FNDJEN-2775)
-
No user-facing changes. Internal changes fixing compatibility issues of the plugin with the changes on the layout of the forms of the next LTS.
Upgrade notes
| If upgrading from a rolling release older than 2.249.1.2, customers may experience technical difficulties. CloudBees ensures compatibility only between supported versions of the product and recommends upgrading early and often to avoid these difficulties. If you are having difficulties upgrading, contact CloudBees Support for assistance. |
- snakeyaml:1.10 dependency removed (CTR-2511)
-
The snakeyaml:1.10 library contains a known security vulnerability. With this change we are removing the dependency on that library.
By removing the Snakeyaml dependency we are also removing old migration code, which means updates from versions of this plugin older than 1.1.0 (3 years old) will require a multi-step upgrade.
The multi-step upgrade involves two steps:
-
Update to a version previous to this one.
-
Update to this version.
If users skip a step in the multi-step process, they could incur data loss.
-