CloudBees Jenkins Platform 2.176.4.3

Security Advisory

Added Jenkins Configuration as Code Plugin version 1.27

Users using plugin catalogs with external Maven2 repository layout for plugin resolution were not able to push the plugin catalog to a client master, and were receiving class not found errors. With this fix, we now use the proper classloader to load the involved classes.

Configuration snippets from Operations Center could be applied before Jenkins was fully loaded, leading to loss of configuration. With this fix, configuration snippets are no longer applied until we are sure that the Jenkins configuration has been deserialized

When a master is disconnected from Operations Center, some but not all configuration snippets would be removed. With this fix, configuration snippets are no longer removed when a master is removed from an Operations Center cluster, so that the existing configuration can be tweaked or removed as desired.

When the Operations Center authorization strategy was changed from the CloudBees Role Based Authorization strategy to something else, Team masters would still have a copy of the outdated configuration. This situation would allow users who had previously been granted Administrator permissions via the RBAC configuration to still have the Administrator permission even though they should no longer have this level of access. With this fix, if the authorization strategy in Operations Center is not CloudBees Role Based Authorization strategy, then the obsolete configuration will be removed from masters.

In Operation Center, the Managed Master contextual menu showed actions that the user was not allowed to execute, so when they would try, they would get an error message. With this fix, the Managed Master contextual menu no shows only the actions that the user is allowed to execute.

Client Master instances could not start if users used a configuration bundle without plugins and/or plugin catalogs. With this fix, the plugins list and plugin catalog fields are optional.

Using the Move/Copy/Promote option to move or delete a managed master for the second time was failing because the log file in the managed master’s old location was not properly closed before moving or deleting the files. With this fix, the log file in the managed master’s old location is closed before the master is moved or deleted and using Move/Copy/Promote works as expected.

The administrative monitor always warned about new versions of the configuration bundle if the client master had a link file. With this fix, the HttpLoader now has its own implementation of getUpstreamVersion, so the configuration is updated correctly.

We fixed a regression in RSS and Atom feeds where an uninitialized variable resulted in partial entries.

Concurrent executions of the Pipeline Template Catalog CLI commands could cause erroneous behavior. With this fix, the Pipeline Template Catalog CLI commands are now synchronized with respect to other operations that modify Pipeline Template Catalogs so that catalogs are not modified concurrently.

In some cases (as in abruptly disconnected browsers) the Pub-Sub “light” plugin was not informed and was unable to store/send messages to some destinations, so some queues kept growing because of retries. With this fix, we have added some TTL (time to live) for the messages queue to discard them after a certain time if not successfully sent.