CloudBees Jenkins Platform 2.346.40.0.11

RELEASED: March 8, 2023

Security advisories

CloudBees Security Advisory 2023-03-08

Security fixes

Symlinks were followed when generating a backup in zip format (BEE-29575): When using the Backup plugin to generate a backup file in zip format, symlinks were followed instead of ignored or archived. This behavior allowed attackers to create symlinks on the Jenkins controller file system inside one of the directories being backed up to add additional files from the Jenkins controller file system.

This issue has been resolved. Symlinks are now stored as symlinks inside zip archives.
Upgrade jsoup 1.15.2 to jsoup 1.15.3 (BEE-23580): Upgraded jsoup 1.15.2 to jsoup 1.15.3.
Upgrade jsoup 1.15.2 to jsoup 1.15.3 (BEE-23581): Upgraded jsoup 1.15.2 to jsoup 1.15.3.
Upgrade jsoup 1.14.3 to jsoup 1.15.3 (BEE-23584): Upgraded jsoup 1.14.3 to jsoup 1.15.3.
Upgrade XStream 1.4.19 to XStream 1.4.20 (BEE-24093): Upgraded XStream 1.4.19 to XStream 1.4.20.
Upgrade Commons Text 1.9 to Commons Text 1.10.0 (BEE-25769): Upgraded Commons Text 1.9 to Commons Text 1.10.0.
Upgrade SSHD :: Core 2.9.1 API to SSHD :: Core 2.9.2 API (BEE-29082): Upgraded SSHD :: Core 2.9.1 API to SSHD :: Core 2.9.2 API.
Upgrade XStream 1.4.19 to XStream 1.4.20 (BEE-29221): Upgraded XStream 1.4.19 to XStream 1.4.20.
Upgrade XStream 1.4.19 to XStream 1.4.20 (BEE-29222): Upgraded XStream 1.4.19 to XStream 1.4.20.
Upgrade XStream 1.4.19 to XStream 1.4.20 (BEE-29980): Upgraded XStream 1.4.19 to XStream 1.4.20.
Upgrade Okio API 3.2.0 to Okio API 3.3.0 and Kotlin 1.7.22 to Kotlin 1.8.10 (BEE-30251): Upgraded Okio API 3.2.0 to Okio API 3.3.0 and Kotlin 1.7.22 to Kotlin 1.8.10.

Upgrade notes

Jenkins 2.346 upgrade notes