CloudBees Jenkins Enterprise 1.11.32

3 minute read
CloudBees will no longer be supporting CloudBees Jenkins Enterprise 1.x after July 30, 2020. This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation for CloudBees CI. For information on moving to CloudBees CI, please refer to CloudBees Jenkins Enterprise 1.x to CloudBees CI on modern cloud platforms migration guide which has been created to help you with the migration process. Existing customers can also contact their CSM to help ensure a smooth transition.

RELEASED: 2020-06-22

Based on Jenkins LTS2.235.1-cb-2

Rolling release

Security advisory

Security fixes

Outdated/vulnerable dependency (xmlsec) (CPLT2-6326)

SECURITY FIX: CVE-2019-12400 Apache Sanctuario XML Security (xmlsec) versions between 2.0.3 and 2.1.4 present security flaws when untrusted code is registered during class loading.

Xmlsec 2.1.4 contains a security fix, and the SAML plugin was updated to use this version.

New features

Two new permissions added

To reflect the needs of medium to larger organizations, two new permissions have been introduced with Jenkins v2.222 which enable a CloudBees Core administrator to delegate some parts of administration to a user without having to grant them the powerful Overall/Administrator permission.

The two new permissions include:

  • Overall/Manage: safely grant a user the ability to manage a subset of CloudBees Core configuration options.

  • Overall/SystemRead: grant a user the ability to view most of CloudBees Core configuration options, but in read only mode.

    When using Role-based matrix authorization as your Global Security Authorization Strategy provided by the CloudBees Role-Based Access Control Plugin, the administrator can grant a user/group the Overall/Manage and/or Overall/SystemRead permission to enable this functionality.

    These new permissions are currently “Experimental” and disabled by default. To enable these new permissions, see Delegating Administration.

Feature enhancements

Jenkins UI improvements (FNDJEN-2001), (FNDJEN-2076), FNDJEN-1902)

The following enhancements were made to the Jenkins UI as part of CloudBees' ongoing efforts to improve the usability of the UI:

  • Buttons were restyled.

  • The page footer was updated.

  • The user system fonts are now used.

  • Font sizes are now consistent across the application.

Replace Oracle JRE with OpenJDK in Windows distributables (PRD-2460)

Oracle JRE has been replaced with OpenJDK in Windows distributables. This was necessary to prevent potential Oracle licensing violations.

rootCA certificate will expire Oct 2021 (CTR-1724)

The rootCA certificate bundled with the CloudBees Jenkins Enterprise License Entitlement Check plugin will expire in Oct 2021, breaking the ability to check for new plugins or updates.

We added a new root certificate and code support for checking against multiple signing certificates.

Add telemetry for CloudBees High Availability (CTR-1898)

Data collection for the CloudBees Analytics Plugin

Add JCasC compatibility to Trigger Restrictions Plugin (CTR-1568, FNDJEN-2081)

The Trigger Restrictions plugin is now compatible with Jenkins Configuration as Code (JCasC).

JCasC compatibility with the CloudBees Skip Next Build Plugin (CTR-1567)

The CloudBees Skip Next Build Plugin is compatible with Jenkins Configuration as Code (JCasC).

Outdated okhttp v2.7.5 library does not support modern features including TLS 1.3. (NGPIPELINE-374)

Updated to use newer okhttp3 APIs with v3.12.12.

This update only affects instances with the GitHub Branch Source plugin.

Resolved issues

Add JCasC compatibility to git-validated-merge plugin (FNDJEN-2084)

Previous versions of git-validated-merge plugin were not tested to be compatible with JCasC.

The git-validated-merge-plugin is now tested to be compatible with JCasC.

Remove Availability option incompatible with permanent agents (CTR-1813)

In a CloudBees Jenkins operations center, creating a Permanent Agent with the Availability option Take this node off-line when idle" made the Jenkins instance crash because this Availability option is not compatible with Permanent Agents.

The Take this node off-line when idle Availability option is now only possible for Shared Agents.

Script Security plugin depended on and bundled an outdated version of caffeine. (NGPIPELINE-1172)

Script Security now depends on and bundles caffeine 2.8.2.

This update only affects instances with the Script Security plugin.

PathRemover should abort early after seeing a large number of exceptions (NGPIPELINE-1073)

In certain situations, it is possible for Jenkins to be unable to write or delete from disk during a build because of filesystem permissions. A customer reported a situation where this resulted in tens of thousands of FileSystmExceptions being thrown, which in turn ran the instance out of memory, triggering the OOM killer.

Instead of logging a needlessly large number of these exceptions, we log a reasonable number, 100 or less, and fail the build instead of trying to continue.

Known issues