CloudBees Jenkins Platform 2.346.40.0.6

RELEASED: November 15, 2022

Security advisories

With this upgrade, the Script Security plugin uses SHA-512-based script approvals. This change is not backward compatible with older releases. Refer to the security fix BEE-14670 in CloudBees CI on traditional platforms 2.361.3.4 or CloudBees CI on modern cloud platforms 2.361.3.4.

Security vulnerabilities were fixed and backported from Jenkins (BEE-14670): The Script Security plugin now stores whole-script approvals as the SHA-512 hash of the approved script, instead of SHA-1 hashes. The existing SHA-1-based script approvals continue to work, and previously approved scripts will have their approval upgraded from SHA-1 to SHA-512 when the script is next loaded or used. The scripts defined inline in job configurations are automatically upgraded on startup.

The older releases of the Script Security plugin do not load the SHA-512-based script approvals, so the affected scripts are considered unapproved if the plugin is downgraded to a release that does not contain this change.

If you are using JCasC, the new SHA-512 hash is prefixed with the name of the hash function for future proofing. Administrators should update the JCasC configurations after the script hashes have been converted to get the new format for their CasC files.

Security vulnerabilities were fixed and backported from Jenkins (BEE-20569): Refer to CloudBees Security Advisory November 15, 2022 for more information.
Security vulnerabilities were fixed and backported from Jenkins (BEE-22962): Refer to CloudBees Security Advisory November 15, 2022 for more information.
Security vulnerabilities were fixed and backported from Jenkins (BEE-23728): Refer to CloudBees Security Advisory November 15, 2022 for more information.
Security vulnerabilities were fixed and backported from Jenkins (BEE-23729): Refer to CloudBees Security Advisory November 15, 2022 for more information.
Security vulnerabilities were fixed and backported from Jenkins (BEE-24053): Refer to CloudBees Security Advisory November 15, 2022 for more information.