Security advisories

Release highlights video

Select to watch a video describing the highlights of this release

What’s New in CloudBees CI 2.303.1.5

Security fixes

LDAP permissions were not updated until Jenkins was restarted (BEE-5618)

When you used LDAP to grant users new permissions in RBAC, the changes were not effective until you restarted Jenkins.

Permissions are now updated in RBAC without having to restart Jenkins.

New features

Configuration as Code job and organization item creation (BEE-5276, BEE-5279, BEE-5280, BEE-5281, BEE-5282, BEE-5284, BEE-7078)

CasC for controllers now supports the creation of the following items using the controller’s items.yaml file:

  • Freestyle jobs

  • Pipeline jobs

  • Multibranch Pipeline jobs

  • GitHub Organization

  • Bitbucket Team/Project

When these items are created in an instance, it is possible to export their configuration in a YAML format that can be used to create and configure the item using CasC.

Support has also been added for Folders with extended fields. It is now possible to configure and export all properties for a folder, including the EnvVarFolderProperties and configuration fields. Previously, only EnvVarsFolderProperty could be exported for use with CasC.

Creating Folders with extended fields, Freestyle jobs, Pipeline jobs, Multibranch Pipeline jobs, GitHub Organizations, and Bitbucket Team/Projects is a Preview feature. For more information, refer to Creating items with CasC for controllers.

CasC for the operations center job and controller item creation (BEE-3273, BEE-5279, BEE-5284, BEE-7078)

CasC for the operations center now supports the creation of the following items using the operations center’s items.yaml file:

  • Freestyle jobs

  • Client controllers

When these items are created in an instance, it is possible to export their configuration in a YAML format that can be used to create and configure the item using CasC.

Support has also been added for Folders with extended fields. It is now possible to configure and export all properties for a folder, including the EnvVarFolderProperties and configuration fields. Previously, only EnvVarsFolderProperty could be exported for use with CasC.

When using CasC for the operations center to create controller items, you can also now define controller-level groups and roles using RBAC. Unlike the global RBAC configuration that is defined in the operations center’s rbac.yaml file, the controller item and its RBAC configuration are defined in the operations center’s items.yaml file.

Creating Folders with extended fields, Freestyle jobs, and client controllers is a Preview feature. For more information, refer to Creating items with CasC for the operations center.

New customer survey and user activity data collection to improve CloudBees products (BEE-4503)

CloudBees CI now includes an optional survey to determine customer satisfaction and collects user activity data via the CloudBees Analytics Plugin to help CloudBees make decisions about future product enhancements.

Feature enhancements

Updated minimum Jenkins version to LTS 2.303 (BEE-4700)

The minimum required Jenkins version was updated to the latest LTS, version 2.303.

If an error occurs while reloading a CasC bundle, the error message is now displayed in the UI (BEE-7217)

If an error occurs while reloading a CasC bundle, the error message is now displayed in the UI and the log file.

Previously, the default error page was shown in the UI and the error message only appeared in the log file.

Resolved issues

Race condition error when client controllers started (BEE-2493)

A race condition could occur when client controllers started, causing tests to fail intermittently.

The race condition has been fixed, this issue is resolved.

The casc-bundle/set-global-availability-pattern-behavior HTTP API endpoint returned no information for the visibility value (BEE-5923)

When the casc-bundle/set-global-availability-pattern-behavior HTTP API endpoint was called, an empty response was returned even if the default behavior of the availability pattern had been properly set.

The casc-bundle/set-global-availability-pattern-behavior HTTP API endpoint now returns the new visibility value.

If the Jenkins Configuration as Code plugin was not installed and the current CasC configuration was exported, the export failed (BEE-6931)

If the Jenkins Configuration as Code plugin is not installed, the current configuration can now be exported without error and the jenkins.yaml file is not included in the export.

The plugin-catalog.yaml file was exported as part of the CasC current configuration in the operations center (BEE-7093)

When the Current Configuration tab was selected in the CloudBees Configuration as Code export and update screen, the plugin-catalog.yaml file was included in the exported configuration, even though it is not supported with CasC for the operations center.

The plugin-catalog.yaml file is no longer included in the exported configuration.

Reentrant locking in Role-based Access Control (RBAC) groups causes Jenkins to become unresponsive (BEE-7033)

Making concurrent modifications to RBAC groups was occasionally causing Jenkins to become unresponsive. The issue was caused by a deadlock, as a result of the reentrant locking strategy.

The deadlock issue has been resolved. Making concurrent modifications to RBAC groups no longer causes Jenkins to become unresponsive.

Role-based access control (RBAC) groups couldn’t be copied using the Move and Copy operations (BEE-5454)

Previously, when you copied a folder that contained an RBAC group from one controller to another controller, the RBAC group was not copied to the new destination.

Now, you can copy RBAC groups from one controller to another using the Move and Copy operations, if you have permission to create groups on the destination controller.

Disable the collection of Jenkins anonymous usage statistics on CloudBees CI startup (BEE-6654)

Previously, CloudBees CI collected anonymous usage statistics and sent them to the Jenkins community.

The collection of Jenkins usage statistics is now disabled by default on startup. You can reenable the collection of usage statistics, if you so choose.

Analytics could be triggered too early in the startup process, causing exceptions to be logged (BEE-6579)

The code now also checks that the controller is far enough along in its startup sequence, in addition to the completed status of the startup wizard.

If a Windows agent (running as a service) is restarted, the WinSW wrapper will stop all child processes, including a launched script from durable-task (BEE-3024)

Durable task now calls the Windows binary wrapper for Batch and Powershell script files. The launched scripts are detached from the launching process and protected against unwanted termination signals.

Apache Commons Digester Library Removal (BEE-624)

The Apache Commons Digester, which is included as a dependency of Jenkins Core, is old and poorly maintained. This library and its dependencies have been a source of a number of security vulnerabilities. Therefore, the Jenkins community has decided to remove it from the Jenkins Core.

The Apache Commons Digester Library is removed as a dependency from Jenkins Core and all plugins in the CloudBees Assurance Program are made compatible with this change. In addition, almost all Jenkins community plugins have been upgraded to be compatible with this change.

If you’re using your own proprietary plugin or one of the few Jenkins community plugins that do have a compatible version, please consult our KB article before upgrading: Commons Digester Library Removal.

Unsynchonized access of a WeakHashMap in script-security could cause an infinite loop (BEE-7028)

The unsynchronized access had been fixed with appropriate locking.

Known issues

Spaces in configuration for systemd caused Java startup to fail (BEE-7072)

After upgrading, you may find that Java fails to start, causing an error. This could result from having spaces in the systemd configuration.

To configure CloudBees CI to support spaces in the systemd configuration, add the following arguments to the Jenkins service configuration file:

JENKINS_JAVA_OPTIONS=(-Djava.awt.headless=true)

JENKINS_JAVA_OPTIONS+=("-Dkey=value with spaces")

For most RedHat and CentOS distributions, the service configuration file is located at: /etc/sysconfig/cloudbees-core-oc.

The casc-bundle/regenerate-token HTTP API endpoint does not reset the token in the operations center (BEE-7364)

When the casc-bundle/regenerate-token HTTP API endpoint is called, no response is returned and the token is not properly reset. This will be corrected in a future version.

If the optOutProperty is included in the operations center CasC items.yaml file for controller items, the operations center fails to restart (BEE-7679)

If the optOutProperty is included in the operations center items.yaml file for controller items, the operations center CasC bundle is updated, and Reload Configuration is selected from the Configuration as Code export and update screen, a warning is displayed, and the operations center fails to restart. This will be corrected in a future version.

Upgrade notes

CloudBees recommends that you upgrade to the August 2021 release of Jenkins LTS as soon as possible. The August 2021 release includes a change that removes the Apache Commons Digester from Jenkins Core. If you use Jenkins plugins that are not in the CloudBees Assurance Program (CAP), you should update them before upgrading your CloudBees products to ensure compatibility with the August release. If your company uses its own proprietary (non-CloudBees) plugins, CloudBees recommends that you test them against Jenkins version 2.302+ prior to the August release. As always, backing up your data before upgrading is strongly encouraged. For details about this change and a list of impacted plugins, please refer to our knowledge base article Commons Digester Library Removal.