Security fixes
With this upgrade, the Script Security plugin uses SHA-512-based script approvals. This change is not backward compatible with older releases. Refer to the security fix BEE-14670 in CloudBees CI on traditional platforms 2.361.3.4 or CloudBees CI on modern cloud platforms 2.361.3.4. |
- Security vulnerabilities were fixed and backported from Jenkins (BEE-14670)
-
The Script Security plugin now stores whole-script approvals as the SHA-512 hash of the approved script, instead of SHA-1 hashes. The existing SHA-1-based script approvals continue to work, and previously approved scripts will have their approval upgraded from SHA-1 to SHA-512 when the script is next loaded or used. The scripts defined inline in job configurations are automatically upgraded on startup.
The older releases of the Script Security plugin do not load the SHA-512-based script approvals, so the affected scripts are considered unapproved if the plugin is downgraded to a release that does not contain this change.
If you are using JCasC, the new SHA-512 hash is prefixed with the name of the hash function for future proofing. Administrators should update the JCasC configurations after the script hashes have been converted to get the new format for their CasC files.
Refer to CloudBees Security Advisory November 15, 2022 for more information.
- Security vulnerabilities were fixed and backported from Jenkins (BEE-20569)
-
Refer to CloudBees Security Advisory November 15, 2022 for more information.
- Security vulnerabilities were fixed and backported from Jenkins (BEE-22962)
-
Refer to CloudBees Security Advisory November 15, 2022 for more information.
- Security vulnerabilities were fixed and backported from Jenkins (BEE-23728)
-
Refer to CloudBees Security Advisory November 15, 2022 for more information.
- Security vulnerabilities were fixed and backported from Jenkins (BEE-23729)
-
Refer to CloudBees Security Advisory November 15, 2022 for more information.
- Security vulnerabilities were fixed and backported from Jenkins (BEE-24053)
-
Refer to CloudBees Security Advisory November 15, 2022 for more information.
Known issues
- Sandboxed Groovy scripts, including Pipelines, that use the
@Field
annotation to declare fields with a type other thanObject
and do not provide an initial value for the field fail to compile. -
The Sandboxed Groovy scripts, including Pipelines, that use the
@Field
annotation to declare fields with a type other thanObject
and do not provide an initial value for the field fail to compile. You should define an initial value for any fields that are declared using the@Field
annotation, or change their declared type toObject
.
For example, the following fields cause the script to fail to compile:
-
@Field String myField1
-
@Field Integer myField2
To resolve this, provide an initial value as in the following examples:
-
@Field String myField1 = null
-
@Field Integer myField2 = 0
You can also declare the fields as type Object
as in the following examples:
-
@Field def myField1
-
@Field Object myField2
This is being tracked as JENKINS-69899.
- Jira Plugin removed from CAP (BEE-22980)
-
The Jira Plugin has been removed from the CloudBees Assurance Program (CAP).
- JIRA Integration For Blue Ocean Plugin removed from CAP (BEE-23090)
-
The JIRA Integration For Blue Ocean Plugin has been removed from the CloudBees Assurance Program (CAP).
- CloudBees Docker Build And Publish Plugin removed from CAP (BEE-22981)
-
The CloudBees Docker Build And Publish Plugin has been removed from the CloudBees Assurance Program (CAP).
- Mecurial Plugin removed from CAP (BEE-22979)
-
The Mecurial Plugin has been removed from the CloudBees Assurance Program (CAP).
- MSBuild Plugin removed from CAP (BEE-22978)
-
The MSBuild Plugin has been removed from the CloudBees Assurance Program (CAP).
- Duplicate Pipeline Template Catalogs in the Configuration as Code
jenkins.yaml
file on each instance restart (BEE-12722) -
If a Pipeline Template Catalog is configured in the CasC
jenkins.yaml
file and theid
property is not defined, the catalog is duplicated on each instance restart and in the exported CasC configuration.
Upgrade notes
With this upgrade, the Script Security plugin uses SHA-512-based script approvals. This change is not backward compatible with older releases. Refer to the security fix BEE-14670 in CloudBees CI on traditional platforms 2.361.3.4 or CloudBees CI on modern cloud platforms 2.361.3.4. |
- End of life announcement (BEE-23004)
-
After assessing the viability of our supported plugins, CloudBees will no longer support the following plugins:
-
CloudBees Docker Build and Publish
-
Jira
-
JIRA Integration For Blue Ocean
-
Mercurial
-
MSBuild
-
Promoted Builds
-
These plugins have been removed from the CloudBees Assurance Program (CAP). This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation, as well as maintaining existing products that are actively used by customers.
If you installed any of these plugins using a Configuration as Code bundle via the plugins.yaml
file, you must include them in the plugin catalog to continue using them.
Refer to Installing non-CAP plugins with plugin catalogs.
For more information regarding this end-of-life announcement, please contact your Customer Success Manager.
- Migration to Jakarta Mail (BEE-22565)
-
The CloudBees Nodes Plus plugin and the Operations Center Server plugin were updated to use jakarta.mail instead of javax.mail. This migration may break existing scripts that relied upon javax.mail. You may need to recreate any broken scripts.
- Java 11 is now required
-
Beginning with the September release, Java 11 is now required to run CloudBees CI. It is not possible to run the operations center, the controllers, or agents on Java 8 any longer. Java Web Start is no longer supported for inbound agents.
For more information, refer to Migrate to Java 11.
- When you upgrade to Java 11, you must update your Java garbage collection arguments (BEE-16018)
-
Garbage collection has been updated in Java 11. Many of the previously recommended arguments are no longer supported. When you upgrade your JDK to Java 11, you must also update your garbage collection configuration. Using unsupported Java arguments will result in startup failure.
For more information, refer to Adding Java arguments to the Jenkins service configuration file.