New features

None

Resolved issues

CloudBees Nodes Plus Plugin unrelated exception issue (CTR-761)

Upgraded CloudBees Nodes Plus Plugin from 1.17 to 1.18. When the user set a 'blank' probe command for a node, an odd and unrelated exception was shown in the logs. With this fix, a blank command is treated as a command failure, and the cause is displayed in the node monitor and in the logs.

CloudBees RBAC Plugin XSS issue (CTR-735)

Upgraded CloudBees Role-Based Access Control Plugin from 5.27 to 5.28. Stored XSS could have been submitted on group description, and anyone who checked the group description via tooltip would then trigger an XSS. With this fix, we now use MarkupFormatter to transform the content of the group’s description depending on what is configured in the Global Security section.

Operations Center Agent Plugin ClassicConnector issue (CTR-410)

Upgraded Operations Center Agent Plugin from 2.190.0.1 to 2.190.0.2. In some cases, when the connection between controller and OC failed, it was retried with a deprecated and insecure connector (ClassicConnector). With this fix, we have disabled ClassicConnector (by default), so it’s not used.

Operations Center Context Plugin XSS issue (CTR-760)

Upgraded Operations Center Context Plugin from 2.190.0.1 to 2.190.0.2. An XSS vulnerability was possible when an item with a malicious display name was shown in the Move/Copy/Promote browser bar. With this fix, user input is sanitized before adding it to the HTML source, preventing an XSS vulnerability.

Jira Plugin upgrade (NGPIPELINE-743, NGPIPELINE-733)

The previously provided version of the Jira plugin, 3.0.9, bundled Jackson 1.x in its dependencies which made it vulnerable to CVE-2017-7525. The upgrade to Jira plugin version 3.0.10 excludes these Jackson libraries.

Known issues

Under certain circumstances, Jenkins may “hang” with the following conditions
  • The Jenkins java process is running in a waiting state.

  • Jenkins is effectively down.

  • Nothing is logged.

    Sometimes, after numerous restarts, the Jenkins service may start up again normally.

    The root cause for this issue is that the Jenkins service hangs immediately before it forks the child process that starts Jetty and Jenkins. Although the Java process is running, nothing is logged, because Jenkins has not yet started and is not yet listening on any port.

    NOTE: This issue affects a very small number of CloudBees customers. You only need to take action if you are directly affected by this issue: if you are not experiencing this issue, no action is necessary.

    A workaround is available in the CloudBees Support Knowledge Base article Jenkins intermittently fails to restart on RHEL 7 and CentOS 7.

Revisions

Revision 2 (2019-11-21)

CloudBees Security Advisory 2019-11-21