CloudBees Jenkins Distribution

4 minute read

RELEASED: 2020-12-03

Based on Jenkins LTS2.263.1-cb-3

Rolling release

Security advisory

Security advisory

Security fixes

snakeyaml:1.10 dependency removed (CTR-2511)

The snakeyaml:1.10 library contains a known security vulnerability. With this change we are removing the dependency on that library.

Upgraded Script Security plugin dependency (CTR-2238)

The Script Security groovy-sandbox library dependency was included as version 1.20 which contains vulnerabilities.

With this fix, the Script Security plugin does not include the groovy-sandbox library dependency as version 1.20.

Plugin Usage page unprotected (FNDJEN-3225)

The Plugin Usage page didn’t check permissions.

The Plugin Usage page now checks that the user has Administer permissions.

Update commons-io to 2.8 (FNDJEN-3006)

Commons-io v2.6 has a security vulnerability that is not exploitable from the existing code.

Commons-io has been updated to 2.8.0 to remove this vulnerability.

New features

Feature enhancements

Beekeeper Plugin Exceptions are now generally available (GA) (FNDJEN-3069)

For information about this feature, see Beekeeper plugin exceptions.

Dependency updates

The following dependency updates are included with this release:

  • Update minimum required Jenkins version to the latest LTS (2.263.1) (CTR-2577)

  • CloudBees Role-Based Access Control Plugin(nectar-rbac) dependency upgraded to version 5.49 (CTR-2752)

  • The CloudBees License plugin is now compatible with jQuery 3.5.x. (CTR-2602)

Update welcome screen UI - Implementation (FNDJEN-2242)

The Jenkins Welcome screen has been updated.

Users with the Overall/Manage permission can now restart and safe restart Jenkins (CTR-2527)

Some configurations that can be set with Configuration as Code for masters may require a restart of Jenkins or are quicker when using a restart. A user with the Overall/Manage permission can now restart Jenkins.

Resolved issues

Build widget broken when a user has Read permission on a running Pipeline but not its parents (NGPIPELINE-1546)

Users with Read permission on a running Pipeline but only Discover permission on one of its parents' folders were unable to view the main Jenkins dashboard due to errors in the build widget.

The build widget now operates correctly when users have Read access to a Pipeline but not its parents.

Fix for SECO-757 Jenkins log flooded with SSE gateway plugin-related warnings, which increase memory usage (NGPIPELINE-1507)

With Jenkins deployed on Tomcat, if BlueOcean users close tabs abruptly some internal queues can increase the number of Pipelines thereby generating a lot of events.

The default values of some timeouts now handle exceptions and clear queues more quickly.

Remove jQuery and upgrade frontend toolchain on cloudbees-workflow-ui-plugin (NGPIPELINE-1432)

CloudBees Pipeline Stage View Extensions bundled an outdated version of jQuery, and the dialog for deleting or resuming checkpoints had broken styles when running against Jenkins 2.249 or newer.

CloudBees Pipeline Stage View Extensions no longer bundles jQuery, and the styles of the dialog for deleting or resuming checkpoints now work correctly on all versions of Jenkins.

Performance slowdown when credentials cache file gets large (CTR-788)

A new cache implementation is now in OperationsCenterCredentialsProvider to avoid credentials duplication. The cache also periodically cleans out all entries with no updates/access in the last 48 hours.

Clarify that shared configuration is available to all master types (CTR-2583)

With this fix, the description of the Miscellaneous Configuration Container in operations center indicates that it applies to all masters types, not just Client Masters.

The restore of a backup fails with a digest check error when using Azure Storage (CTR-916)

There was an issue in backup creation when using Azure Storage that caused the backup to be created in Azure without the required digest metadata. Because the backup was created without the required digest metadata, restoring the backup would fail, as there was no digest to check integrity against it.

With this fix, the digest metadata is properly attached to the backup file and then used during the restore process.

The inline help referenced HUDSON_HOME (CTR-2702)

The inline help now references JENKINS_HOME as expected.

Form changes: promoted-builds plugin breaks with tables-to-divs changes (FNDJEN-2775)

No user-facing changes. Internal changes fixing compatibility issues of the plugin with the changes on the layout of the forms of the next LTS.

Known issues


Upgrade notes

If upgrading from a rolling release older than, customers may experience technical difficulties. CloudBees ensures compatibility only between supported versions of the product and recommends upgrading early and often to avoid these difficulties. If you are having difficulties upgrading, contact CloudBees Support for assistance.

snakeyaml:1.10 dependency removed (CTR-2511)

The snakeyaml:1.10 library contains a known security vulnerability. With this change we are removing the dependency on that library.

By removing the Snakeyaml dependency we are also removing old migration code, which means updates from versions of this plugin older than 1.1.0 (3 years old) will require a multi-step upgrade.

The multi-step upgrade involves two steps:

  1. Update to a version previous to this one.

  2. Update to this version.

    If users skip a step in the multi-step process, they could incur data loss.

CloudBees Role-Based Access Control Plugin

With this upgrade, for security reasons, we are disabling the ability to configure RBAC groups and role filters at the views level.

See CloudBees Role-Based Access Control Plugin 5.42 for more information about the security vulnerability.

This change means that any previous groups or role filters created in a view will not be applied and you will not be able to configure them.

This update only affects the views themselves, not the items within them. Previous permissions applied to the items are still enforced.

If you were filtering roles on views before this upgrade, these filters will no longer work, so your users may have a more permissive permission scheme on the views.

CloudBees recommends running this script in your script console to determine if you have a configuration on your instance that will be affected by this change.

If you do have a configuration that will be affected by this change, you have two options:

  1. (CloudBees recommended approach) Recreate each view inside a folder and apply the RBAC configuration to the folder. The folder RBAC configuration is propagated to the view since it is inside the folder.

  2. Enable RBAC configuration on views by setting the system property nectar.plugins.rbac.groups.ViewProxyGroupContainer=true.

    This approach is not recommended for security reasons.