Security advisories
- CloudBees Security Advisory 2018-12-05
-
SECURITY-595: Code execution through crafted URLs; SECURITY-904: workspace browser allowed accessing files outside the workspace; SECURITY-1072: forced migration of user records; SECURITY-1193: potential denial of service through cron expression form validation.
New features
- Allow YAML to override default ingress annotations
-
Allow overriding of default ingress with YAML annotations.
- CLI commands to install and disable plugins
-
This Jenkins feature adds plugin management and automation via the CLI. Benefits are configuration as code and GitOps plugin management.
- Tuning of configuration permissions to improve security
-
In organizations where central administrators delegate permissions to team administrators, team administrators needed access to a wide range of configuration parameters. As an unintended consequence of this very broad scope, certain of these permissions could have caused 'harm' to Jenkins or leaked all credentials.
This new feature provides fine-grained control and improves the granting of permissions, reducing or eliminating these risks.
- Credential-masking plugin to improve security
-
The new Enhanced Credentials Masking plugin masks credentials even if they are referenced as a Declarative Pipeline syntax variable outside the withCredentials code block.
Previously, it was possible for unscrupulous developers to extract credentials masked by withCredentials when those credentials were referenced as a variable outside a pipeline block.
With the new plugin, customer credentials are not exposed outside the code block, improving the security of CloudBees Core.
- Cross team collaboration external HTTP endpoints
-
This feature allows users to trigger jobs based on an external event being published by systems that produce JSON webhooks. This feature works with pipelines on all controllers.
Cross-team collaboration reduces manual handoffs across teams, and jobs can start automatically when a notification is published, which facilitates continuous delivery. This also permits the integration with
homemade
systems or systems without an out-of-the-box webhook integration (such as Artifactory).Security against malicious or fake webhooks is provided by HMAC authentication and remote IP address filtering.
Resolved issues
- Kubernetes plugin resource issues
-
Cleanup of Kubernetes pods to resolve resource consumption.
- Can’t delete the last Kubernetes Pod Template on Core controller
-
Modified the Kubernetes plugin so that all Kubernetes Pod Templates on a CloudBees Core controller may be deleted.
- EKS unable to retrieve CA file when using self-signed cert
-
When using self-signed certificates in CloudBees Core, EKS was unable to retrieve the client CA file. This update addresses that issue.
- Pick up security fixes from the new OpenJDK version
-
This release updates OpenJDK to 8u181-jdk-alpine3.8.
- Exception during startup causes a broken running instance
-
During startup, a java.nio.file.FileAlreadyExistsException may occur against envelope.json, which could leave Jenkins in a running but unusable state.
To fix this, we’ve modified startup behavior to prevent instance initialization when there is a problem with the installation of the envelope.
- Text cleanup for the CLI backup-master command
-
Fixed several minor grammatical errors in messages returned by the CLI backup command.
- Build directories and contents are backed up when deselected
-
In the CloudBees Backup configuration, users can select/deselect the following items:
Build records Job configurations System configuration Users were finding that even with build records deselected their backups contained build artifacts and logs.
Although there are situations where keeping the directory information for lastSuccessful symlinks is necessary, retaining the contents of those directories is not desirable.
Behavior has been modified to NOT include the contents of last** symbolic links when the user excludes build records.
- Jenkins HA Monitor tool doesn’t work
-
The Jenkins HA Tool (versions 4.14 and up) was failing to read a license file and shutting down, thus rendering it useless.
The tool has been repackaged to include additional dependencies in JAR-with-dependencies.
Revisions
- Revision 4 (2020-04-14)
-
Plugin updates
- Revision 3 (2019-01-08)
- Revision 2 (2018-12-12)
- Release Notes
-
Upgraded operations-center-server Plugin from
2.138.0.9
to2.138.0.10