CloudBees Jenkins Platform 2.319.3.4

2 minute read

RELEASED: 2022-02-15

Security advisories

CloudBees Security Advisory 2022-02-15

Security fixes

Bundle generated by the Support Core plugin could contain passwords or other sensitive data (SECURITY-2186)

The bundle that is generated by the Support Core plugin could contain passwords or other sensitive data stored in system variables, Java arguments, or other system files.

In version 2.72.2 of the Support Core plugin, a feature was introduced that automatically redacted any passwords stored in the following files:

  • nodes.md

  • about.md

  • nodes/master/system.properties for controllers and agents

  • nodes/master/environment.txt

  • nodes/slave/name/proc/self/environ and nodes/slave/name/proc/self/cmdline for Linux agents

  • nodes/slave/name/config.xml for each agent

  • launch log files per each agent located in nodes/slave/name/launchLogs

To support this fix, a text file named security-stop-words.txt has been added to the JENKINS_HOME/support folder. It contains security stop words that are used to detect passwords or secrets. When the bundle is generated, the word "REDACTED" replaces any values associated with these stop words.

For example, if one of the security stop words is "passwd", the following string:

-username.net.passwd=mySecret

will be changed to:

-username.net.passwd=REDACTED

To disable this feature, delete all of the security stop words from the security-stop-words.txt file. Any changes made to the security-stop-words.txt file are applied after a Jenkins instance restart.

New features

None.

Feature enhancements

None.

Resolved issues

None.

Known issues

The operations center may run out of disk space if using a local folder as the Configuration as Code (CasC) bundle location (BEE-15449)

If you use a local folder as the Configuration as Code bundle location and an error occurs, a backup folder is automatically added to the operations center. If the local folder contains other files that are not part of a CasC bundle (for example, read-only files, hidden files, or SCM control files), polling synchronization fails and the backup folder is never deleted. Eventually, the operations center may run out of disk space, resulting in a No space left on device exception.

To avoid this issue, you can either use an SCM as the Configuration as Code bundle location, or if using a local folder, ensure that only CasC bundles are stored in the local folder.

This will be corrected in a future version.

Git submodules are not supported when configuring an SCM as the Configuration as Code bundle location (BEE-15832)

If you configure an SCM as the Configuration as Code bundle location and select Recursively update submodules for the selected Project Repository, an exception is returned.

Duplicate Pipeline Template Catalogs in the Configuration as Code jenkins.yaml file on each instance restart (BEE-12722)

If a Pipeline Template Catalog is configured in the CasC jenkins.yaml file and the id property is not defined, the catalog is duplicated on each instance restart and in the exported CasC configuration.

Upgrade notes

Jenkins 2.319 upgrade notes