CloudBees CI on modern cloud platforms 2.176.2.3

Rolling release: 2019-07-17

Based on Jenkins LTS 2.176.2-cb-3

New features

  • Allow setting global master java options on startup (CPLT2-5662)

  • Updated dependencies to 2.176 baseline (CPLT2-5661)

Resolved issues

Ability to mark Pipeline stage as Unstable (NGPIPELINE-346)

Individual Pipeline stages did not have independent results, causing visualizations to report every stage as unstable no matter which stage actually caused the build to become unstable. A new API was created for more granular status tracking in Pipelines. Plugins such as JUnit that set the build result to unstable were updated to use the new API. New Pipeline steps were created that users can use to set the stage result to unstable, see the warnError and unstable steps at https://www.jenkins.io/doc/pipeline/steps/workflow-basic-steps/. Additionally, the catchError step was updated to allow optionally setting the stage result. Using these new steps allows Blue Ocean to display exactly which stage caused the build to become unstable.

Sidecar Injector Debian base image update (CPLT2-5670)

Sidecar Injector is using a Debian base image with known vulnerabilities. Updated to a new sidecar image without the vulnerabilities.

Agents stay in 'Pending' state even after appearing online

Agents stay in 'Pending' state even after appearing online. This can prevent subsequent pod scheduling because the NodeProvisioner logic thinks the agent is still under provisioning when in fact it is connected.

Multiple Kubernetes clouds provisioning improvements (CPLT2-5619)

While using multiple Kubernetes clouds and provisioning a lot of agents, some queue items can stay pending in the queue for several minutes before new agents come in and start picking them up.

Connecting agents via CLI does not require restart (CTR-35)

The Operations Center required a restart to connect to shared agents provisioned via CLI when some optional properties were not fully specified in the agent’s xml configuration. With this fix, creating a shared agent via the CLI no longer requires a restart to connect the agent when specifying an empty <properties /> element.

Prevent XSS of Managed/Client master side panel (CTR-250)

A master with a malicious name could inject JavaScript code to be executed on user access to the master configuration page. This vulnerability has been fixed.

Operations Center credential domain requirement update (CTR-275)

If a connected master had a plugin installed that provided a new credential domain requirement type, and the corresponding plugin was not also installed on Operations Center, then no remote credentials were returned when the master queried for them. With this fix, credential domain requirements are deserialized differently on the Operations Center so that missing classes are handled gracefully.

Switch MCP to use NIO to get better failure diagnostics(CTR-305)

If a directory or file could not be created during a Move/Copy/Promote Operation there were no details informing the user of the cause of the issue. With this fix, the code uses the newer NIO API to enable better error messages in the case of failure.

White bar on top of Teams view (CTR-319)

A blank or white line appeared at the top of the “Teams” view. With this fix, the page design was updated to remove extraneous whitespace.

Invalid credentials cached if refreshed during shutdown(CTR-318)

Credentials cached by client masters could have been lost if the credentials were fetched from the Operations Center as the Operations Center was shutting down. With this fix, the Operations Center signals to client masters that it is shutting down and updated credentials are not available at this time.

Option to decrease master backup time (FNDJEN-809)

During SFTP backups, every single file which needs to be backed up is transferred, one-by-one, to the SFTP server, where it was packed into the backup file destination. Because of this, even the simplest master backup can required hours to be done. With this fix, users now have the option to backup locally and then upload the backup to the SFTP server to decrease backup time.

Password character blocks masking (JENSEC-50)

When certain characters were included in passwords, masking was blocked. With this fix, password masking now masks strings that match the escaped forms of credentials using the escaping algorithms used in sh, bash, zsh, batch, and powershell. This helps fix the issue where shell echoing is enabled (+x) and credentials are included in parameters echoed back.

Reduce unnecessary repo clones for PRs (NGPIPELINE-245)

For "Merge" pipeline runs of Pull Requests on GitHub, Jenkins resorts to cloning the whole repository on the Jenkins Master in order to merge the source and target branches. With this fix, Jenkins uses the GitHub API to get the merged Jenkinsfile from the Pull Request “merge_commit_sha”, causing pipelines for open merge PRs to run on the first scan after upgrade.

Clicking on imported template gives 404 (NGPIPELINE-451)

Users clicking on an imported template in a catalog were receiving 404 errors. With this fix the link is correctly redirected to the Pipeline Template page when users click on a template in a Pipeline Template Catalog.

Update deployer-framework with icu4j release (JENSEC-447)

The Deployer Framework plugin was upgraded to the newest ICU4J library, removing several potential security vulnerabilities.

Known issues

None

Revisions

Revision 2 (2019-07-31)

CloudBees Security Advisory 2019-07-31