RELEASED: Public: 2018-03-15
Based on Jenkins
Rolling release Security release
XStream and Remoting now use whitelists instead of blacklists
This change is a major security hardening, which protects instances from class deserialization attacks. See https://www.jenkins.io/blog/2018/03/15/jep-200-lts/ for more information.
This change has a high risk of regressions in Jenkins plugins. The list of affected plugins is available on this Wiki page.
If you use home-made or other 3rd-party plugins, they may be affected by the change as well.
You can find troubleshooting and reporting guidelines for this issue in this KB Article.
Config files now use XML
1.1, which allows for the support of additional characters that are not considered legal in XML
1.0documents. Configuration files generated by previous versions will be silently updated to the new version, and are not backwards compatible with older instances.
While this change should be transparent for most users, there are two points worth noting:
Move/Copy/Promote operations from a master with this version to an older version master will fail, as the copied artifacts will contain XML
1.1configuration files which cannot be be parsed by the older master. A warning will be displayed when attempting to perform a Move/Copy/Promote operation under these circumstances. Move/Copy/Promote operations from an older version to a newer one are unaffected.
Downgrading to a previous version is generally discouraged, and will fail with numerous XML parsing exceptions when downgrading to a version older than this one, due to the configuration files having a declaration tag specifying that they are XML
1.1. If a downgrade must be performed, it will be necessary to perform a global find/replace operation on all XML files.
Added blueocean-core-js version
Added jenkins-design-language version