Security fixes
- Upgrade Google OAuth Client 1.31.5 to Google OAuth Client 1.33.3 (BEE-23789)
-
Upgraded Google OAuth Client 1.31.5 to Google OAuth Client 1.33.3.
- Upgrade Gson 2.8.7 to Gson 2.8.9 (BEE-24280)
-
Upgraded Gson 2.8.7 to Gson 2.8.9.
- Upgrade Google OAuth Client 1.25.0 to Google OAuth Client 1.33.3 (BEE-25730)
-
Upgraded Google OAuth Client 1.25.0 to Google OAuth Client 1.33.3.
- Upgrade to Analysis Model API including BCEL 6.7.0 with the fix (BEE-27951)
-
Upgraded to Analysis Model API including BCEL 6.7.0 with the fix.
- Use of unsafe SnakeYaml constructor (BEE-29887)
-
Updated the library SnakeYaml to 2.0 due to a security defect in version 1.33.
- Low-privilege users can restore backup jobs (BEE-29577)
-
CloudBees Backup plugin allowed users with Job/Configure permissions to restore backups.
This issue is resolved.
- Low-privilege users can break backup jobs (BEE-29576)
-
CloudBees Backup plugin allowed users with Job/Configure permissions to break backup jobs created by other users.
This issue is resolved.
Resolved issues
- After a server restart, the CloudBees CI service started before the NFS mount used for
JENKINS_HOME
was mounted, leading to the CI service to fail to start properly (BEE-32236) -
The systemd service now waits for NFS to be mounted before the service starts. This issue is resolved.
- Bundle update tab displays duplicate validations results (BEE-31764)
-
Duplicate validation results appear on the Bundle update tab of the CloudBees Configuration as Code export and update page.
This issue is resolved. Validation results are no longer duplicated.
- Warnings from
AvailabilityPatternValidator
are not stored in the raw bundle log storage (BEE-30893) -
The RawBundleValidation log does not always show all of the warnings, as the core bundles page.
rbac.yaml
treats boolean values as strings (BEE-29065)-
Boolean values were incorrectly quoted and treated as string values in the
rbac.yaml
file.This issue is resolved.
Known issues
- XStream2 unable to round-trip ASCII NUL (JENKINS-71139)
-
Jenkins has switched from using KXm12Driver to StandardStaxDriver. Due to this change, Jenkins XML files can no longer save text content with the ASCII NUL character (U+0000). In particular, if you are using the JUnit plugin to publish test results, be sure to update it to the latest version to avoid problems with new builds. Test results published with older versions of the plugin become unreadable. CloudBees CI users with Beekeeper enabled do not need to update the plugin since the update is part of the product.
- Prevalidating an invalid YAML file does not update check results (BEE-32504)
-
The prevalidation process does not complete when a bundle with an malformed YAML file is submitted. The errors are not reflected in GitHub.
- The offline Update Center signature may expire and old versions of the product do not start up (BEE-10093)
-
The offline Update Center can only be updated by upgrading a trusted WAR file, giving no added security by signing the file that is inside the WAR file. The product might not start up when the certificate used to sign the JSON is no longer valid (occurs if the product had not been upgraded in a long time). The JSON embedded inside the WAR file is no longer signed.
- Duplicate Pipeline Template Catalogs in the Configuration as Code (CasC) for Controllers
jenkins.yaml
file on each instance restart (BEE-12722) -
If a Pipeline Template Catalog is configured in the CasC
jenkins.yaml
file and theid
property is not defined, the catalog is duplicated on each instance restart and in the exported CasC configuration. - Severe contention on io.jenkins.blueocean.rest.impl.pipeline.PipelineNodeImpl.isRestartable with large Declarative Pipelines (BEE-31789)
-
CloudBees recommends that you upgrade Blue Ocean if you have large Declarative Pipelines.