Security fixes
For the following fixes to take effect, users MUST manually restart their CloudBees CI instance. |
- OC items in nested folders did not have their RBAC configuration correctly migrated (CTR-2742)
-
An update in the November rolling release (2.249.3.1) caused an issue with operations center items in nested folders RBAC configurations. This version corrects this operations center items in nested folders RBAC configurations issue by performing an additional migration of the RBAC configuration for all the OC items in the Jenkins instance, not just the items defined at the top level.
- Nested folders did not have their RBAC configuration correctly migrated (CTR-2740)
-
An update in the November rolling release (2.249.3.1) caused an issue with nested folders RBAC configuration. This version corrects this nested folders RBAC configuration issue by performing an additional migration of the RBAC configuration for all the folders in the Jenkins instance, not just the folders defined at the top level.
- RBAC permissions were not applied correctly when RBAC on views is disabled(CTR-2748)
-
Since the November rolling release (2.249.3.1), it’s not possible to define groups on views, so the expected permissions set should be coming from the view’s parent item. However there was a bug which made the permission set to be the root one (ie. whatever is defined at root level).
This fix is making the view use the permission set coming from the view’s owner. So if the view is inside a folder, then the folder groups and roles are applied. Or if the view is on the root level, the global groups and roles are applied.
Known issues
- Version 4.0 or higher of .NET Framework is required to launch controller or agents on Windows services
-
Starting from this release, .NET Framework 2.0 doesn’t work for launching CloudBees controller or agents as Windows services. Microsoft.NET Framework 4.0 or above is now required for using the default service management features.
This release also upgrades Windows Service Wrapper (WinSW) from 2.3.0 to 2.9.0 and replaces the bundled binary from .NET Framework 2.0 to 4.0. There are many improvements and fixes in these versions, big thanks to NextTurn and all other contributors. You can find the full WinSW changelog here, just a few highlights important to CloudBees users:
-
Prompt for permission elevation when administrative access is required. Now CloudBees users do not need to run the agent process as Administrator to install the agent as a service from GUI.
-
Enable TLS 1.1/1.2 in .NET Framework 4.0 packages on Windows 7 and Windows Server 2008 R2.
-
Enable strong cryptography when running .NET Framework 4.0 binaries on .NET 4.6.
-
Support security descriptor string in the Windows service definition.
-
Support 'If-Modified-Since' and proxy settings for automatic downloads.
-
Fix Runaway Process Killer extension so that it does not kill wrong processes with the same PID on startup.
-
Fix the default domain name in the
serviceaccount
parameter (JENKINS-12660) -
Fix archiving of old logs in the
roll-by-size-time
mode.
-
- Use-cases affected by .NET Framework 2.0 support removal
-
If you use .NET Framework 2.0 to run the CloudBees Windows services, the following use cases are likely to be affected:
-
Installing the CloudBees controller as a Windows service from Web UI. The official MSI Installer supports .NET Framework 2.0 for the moment, but it will be changed in future versions.
-
Installing agents as Windows services from GUI. This feature is provided by the Windows Agent Installer Module from the Jenkins core.
-
Installing agents over Windows Management Instrumentation (WMI) via the WMI Windows Agents plugin
-
Auto-updating of Windows service wrappers on agents installed from GUI.
-
- Upgrade guidelines
-
If all of your CloudBees controller and agent instances already use .NET Framework 4.0 or above, there are no special upgrade steps required.
If you run the CloudBees controller as a Windows Service with .NET Framework 2.0, this instance will require an upgrade of .NET Framework to version 4.0 or above. .NET Framework 4.6.1 or above is recommended because this .NET version provides many platform features by default (e.g. TLS 1.2 encryption and strong cryptography), and Windows Service Wrapper does not have to apply custom workarounds.
If you want to continue running some of your agents with .NET Framework 2.0, the following extra upgrade steps are required:
-
Disable auto-upgrade of Windows Service Wrapper on agents by setting the
-Dorg.jenkinsci.modules.windows_slave_installer.disableAutoUpdate=true
flag on the CloudBees controller side. -
Upgrade agents with .NET Framework 4.0+ by downloading the recent Windows Service Wrapper 2.x version from WinSW GitHub Releases and manually replacing the wrapper ".exe" files in the agent workspaces.
-
Upgrade notes
If upgrading from a rolling release older than 2.387.1.3, customers may experience technical difficulties. CloudBees ensures compatibility only between supported versions of the product and recommends upgrading early and often to avoid these difficulties. If you are having difficulties upgrading, contact CloudBees Support for assistance. |