CloudBees Jenkins Enterprise 1.11.26

3 minute read
CloudBees will no longer be supporting CloudBees Jenkins Enterprise 1.x after July 30, 2020. This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation for CloudBees CI. For information on moving to CloudBees CI, please refer to CloudBees Jenkins Enterprise 1.x to CloudBees CI on modern cloud platforms migration guide which has been created to help you with the migration process. Existing customers can also contact their CSM to help ensure a smooth transition.

RELEASED: 2020-01-29

Based on Jenkins LTS2.204.2-cb-4

Rolling release

Security advisory

Example 1. XXE vulnerability in WebSphere Deployer Plugin

SECURITY-1719 / CVE-2020-2108

WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin.

As of publication of this advisory, there is no fix.

Security fixes

Attackers with Overall/Read, Agent/Secure, and Job/Read can associate any folder they can Job/Read with any agent they can Agent/Secure via CSRF when using the CloudBees Folders Plus Plugin (FNDJEN-1781)

To fix this issue, the use of the crumb issuer has been enforced in some methods and the web page with the authorized agents has been restricted.

This only affects installations that use the CloudBees Folders Plus Plugin.

Cloud connection test implementations allow users with Jenkins.READ permission to steal credentials (FNDJEN-1851)

Access is now protected with RequierePOST annotations and new check for permissions.

CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin

SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

This only affects installations that use the Health Advisor by CloudBees Plugin.

New features

Specifying a matrix of one or more dimensions (NGPIPELINE-378)

The Declarative Pipeline Matrix directive allows users to execute a set of one or more Pipeline stages multiple times-once for every combination defined in the matrix. Matrix combinations are generated from static lists of predefined values. Filters can also be provided to exclude specific combinations.

Feature enhancements


Resolved issues

  • Permit dots in Mesos Masters names (CPLT2-6061)

    When provisioning a Managed Master in Mesos with a dot in the domain, provisioning fails. This is a regression.

    Changes have been made to restore the previous behavior in Mesos master provisioning.

  • Managed Master URL is mangled for unknown reason (CPLT2-6163)

    When using subdomains for operations center and Managed Master URLs, the autogenerated URL pattern is not correct.

    The pattern has been fixed to be correct in this use case.

ATH failure in Gradle plugin (FNDJEN-1532)

Updated to version 1.35 of Gradle plugin to fix the failure as well as improve pipeline support.

Connection to S3 for backup with HTTP only (no SSL) not working (CTR-1030)

This only affects installations that use the CloudBees Backup Plugin.

When overriding an S3 endpoint with a custom endpoint that used the HTTP protocol only, the URL was prefixed by "https://" and ended with an SSL error. With this fix, when an endpoint has only the HTTP protocol set and HTTPS is not present, then the URL begins with "http://".

Update pipeline-build-step to 2.10 and workflow-cps to 2.78 (NGPIPELINE-878)

This only affects installations that use the Pipeline: Build Step and Pipeline: Groovy plugins.

When the build step failed because the downstream build failed, it always reported failure, instead of the actual result of the downstream build. With this fix, the build step now reports the actual result of the downstream build when using the propagate option.

Known issues


Upgrade notes

End of life announcement

After assessing the viability of our supported plugins, CloudBees ended support for the CloudBees VMware Pool Autoscaling Plugin on April 30, 2020.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.