Security fixes

Git client plugin versions prior to 3.11.1 are vulnerable to man-in-the-middle attacks (BEE-21945)

Git client plugin versions prior to version 3.11.1 are vulnerable to man-in-the-middle attacks. Additionally, because the CloudBees Git Validated Merge plugin uses the Git client plugin to provide an SSH connection, it is also vulnerable.

This issue has been resolved. The Git client plugin now lets you select from the following options to verify the SSH keys that are presented by the Git repository host servers:

  • Accept first connection strategy (default) - Automatically adds keys to the known_hosts file for hosts that have not been seen before. This option prevents connections to previously seen hosts, if the keys have been modified.

  • Known hosts file - This option verifies that all host keys use the known_hosts file.

  • Manually provided keys - This option verifies that all host keys use a set of manually configured keys.

  • No verification - Does not verify host keys. This option is insecure, it is not recommended.

To configure the host key verification strategy, select Manage Jenkins Configure Global SecurityGit Host Key Verification Configuration.

OpenSSH releases before OpenSSH 7.6 (released Oct 2017) do not support the ssh command line argument used to accept the first connection (BEE-22139)

Red Hat Enterprise Linux 7, CentOS 7, AWS Linux 2, and Debian 9 all deliver OpenSSH releases older than OpenSSH 7.6. The Git Host Key Verification Configuration for those systems cannot use the Accept first connection strategy with the command line git.

Users of those operating systems have the following options:

  • Use the Manually provided Verification Strategy and provide host keys for their git hosts.

  • Use the Known hosts file Verification Strategy and provide a known_hosts file on the agents with values for the required hosts.

  • Enable JGit and use JGit instead of command line git on agents and controllers that have older OpenSSH versions.

  • Switch the repository URLs in the job definitions from SSH protocol to HTTPS protocol and provide a username/password credential for the clone instead of a private key credential.

  • Use the Non verifying host key verification strategy (not recommended).

New features

None.

Feature enhancements

None.

Resolved issues

None.

Known issues

Duplicate Pipeline Template Catalogs in the Configuration as Code (CasC) for Controllers jenkins.yaml file on each instance restart (BEE-12722)

If a Pipeline Template Catalog is configured in the CasC jenkins.yaml file and the id property is not defined, the catalog is duplicated on each instance restart and in the exported CasC configuration.

Upgrade notes

Migration to Java 11 will soon be required for new releases (BEE-42)

The Jenkins community will support the Java 11-specific features soon (Java 11 byte code) and then you cannot use a Java 8 runtime environment. Because CloudBees CI on modern cloud platforms is based on the Jenkins LTS, future releases of CloudBees CI on modern cloud platforms will have the same requirement.

CloudBees strongly recommends that you upgrade your CloudBees CI on modern cloud platforms environment to run Java 11 as soon as possible. Some of the Java 11 updates may require action on your part, and there may be a specific order in which you must upgrade components in your environment. For more information, refer to Migrating to Java 11.

When you upgrade to Java 11, you must update your Java garbage collection arguments (BEE-16018)

Garbage collection has been updated in Java 11. Many of the previously recommended arguments are no longer supported. When you upgrade your JDK to Java 11, you must also update your garbage collection configuration. Using unsupported Java arguments will result in startup failure.

Jenkins upgrade notes

Jenkins 2.346 upgrade notes