CloudBees CI on traditional platforms 2.277.4.3

Rolling release: 2021-05-11

Based on Jenkins LTS 2.277.4-cb-2

Security advisories

CloudBees Security Advisory 2021-05-11

Critical issues

Exception occurs in Jetty client on CloudBees CI on traditional platforms when long files are read using SSL

When large HTTP requests are submitted while the built-in Winstone/Jetty container is configured to use SSL/TLS connections, the following exception can occur:

Encrypted buffer max length exceeded

This exception could prevent you from configuring controllers.

This issue is resolved in versions 2.277.4.4 and 2.289.2.2. If you encounter this error, you should upgrade to one of those versions as soon as possible.

Remove the jquery and jquery-detached plugins from your CloudBees CI instance

The jquery and jquery-detached plugins have been removed from all CloudBees Jenkins-based products and are no longer part of CloudBees Assurance Program. However, these plugins are not automatically uninstalled from your CloudBees CI instance as other plugins you use may still have dependencies on them. Please ensure that your CloudBees CI instance does not have any dependencies on these plugins, and then remove them. For instructions on how to check for dependencies in a particular plugin, refer to How to determine if a plugin is in use.

Security fixes

Important Security Update - Action Required

The Jenkins community announced a new security vulnerability today. This issue was discovered by CloudBees security researchers as a part of their regular penetration testing.

CloudBees strongly recommends that you take immediate action to protect your Jenkins environment, including any version of CloudBees CI, CloudBees Jenkins Platform, CloudBees Jenkins Enterprise, CloudBees Jenkins Distribution, or Jenkins.

There are two ways to protect against this vulnerability. The first option is available only to customers running CloudBees CI, CloudBees Jenkins Platform, or CloudBees Jenkins Enterprise.

  1. If you are running CloudBees CI, CloudBees Jenkins Platform, or CloudBees Jenkins Enterprise, you can follow the steps in this Knowledge Base article to use the CloudBees Request Filter plugin to protect your environment. This approach does not require a restart or cause disruption to production workloads.

  2. You can upgrade to the version of CloudBees products mentioned in the CloudBees Security Advisory 2021-05-11.

    For more information, see the CloudBees Security Advisory 2021-05-11.

New features

None.

Feature enhancements

None.

Resolved issues

None.

Known issues

None.

Upgrade notes

Jenkins 2.277 upgrade notes