CloudBees Jenkins Enterprise 1.11.29

RELEASED: 2020-03-25

Based on Jenkins LTS2.222.1-cb-7

Rolling release

Security advisory

Security advisory

  • CloudBees Security Advisory 2020-03-25

    This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform, CloudBees Jenkins Enterprise and CloudBees Core.

Security fixes

  • CasC bundle processing in the installation manager is subject to RCE (CTR-1251)

    There was a risk of remote code execution (RCE) when parsing YAML files from a Configuration Bundle.

    With this fix, the YAML parser has been properly configured to mitigate such risk.

    This update only affects installations using the Configuration as Code Plugin.

  • Fix persistent XSS vulnerability in the List View (CTR-1036)

    The Operations Center Cluster Operations Plugin did not escape the click event on the Cluster Operation checkbox. This lapse resulted in a stored cross-site scripting vulnerability, exploitable by users with Overall/Administer permissions in Operations Center.

    The JavaScript code was changed to prevent this vulnerability.

    This update only affects installations using the Operations Center Cluster Operations Plugin.

New features

  • Introducing CloudBees Pipeline Policies as a Preview feature (CTR-767)

    While administrators would like to enable their developers to use pipelines freely, they still may need to set some restrictions based on industry-specific regulatory compliance or general best practice principles. Pipeline Policies provide a central way to enforce best practices across pipeline projects. The plugin uses runtime validation that works for both scripted and declarative pipelines, allowing administrators to include warnings or block the execution of pipelines if policy rules are violated. This initial release of Pipeline Policies is aimed at helping users avoid antipatterns that can damage the stability of their masters.

    This only affects installations that use the Pipeline Policies Plugin.

Feature enhancements

  • Add groupId segment field in events sent (FNDJEN-1922)

    CloudBees now collects the name of the company that is licensed to use our products. This applies to Operations Center, CloudBees Jenkins Enterprise, CloudBees Jenkins Enterprise Operations Center, and CloudBees Jenkins Enterprise Managed Masters.

  • Update GUI with new branding (CTR-1131)

    With this release, we have updated the CloudBees branding in the header icons and favicons of the graphical user interface (GUI) of our products.

  • Fix multitesting enforcer issue for nectar-rbac-license-plugin on 2.204.1 and 2.211 (CTR-1064)

    The public API method, hudson.model.UpdateSite.doPostBack, has been removed from the UpdateSite class to comply with an upstream code removal for security reasons.

Resolved issues

  • Cannot move/copy/promote a ComputedFolder if indexing hasn’t run (CTR-167)

    It was not possible to move, copy or promote Multibranch Pipelines if the source repository had not been scanned.

    With this fix, these operations now work as expected, regardless of the state of indexing.

  • NullPointerException error when using the ItemParameterDefinition without filters (CTR-1087)

    A parameterized Cluster Operations project returned a NullPointerException error when it was run using Select Items parameters that included Client Master / Managed Masters Using a specified update center and Update center using a specified update center source as sources.

    With this fix, running a parameterized Cluster Operations project with Select Items parameters including Client Master / Managed Masters Using a specified update center and Update center using a specified update center source as sources works as expected.

  • JellyTagException when including parameter values in a Cluster Operations build (CTR-1105)

    The Parameters link on the Cluster Operations build page failed with a JellyTagException when Select Items parameters were included. With this fix, the Parameters link on the Cluster Operations build page works as expected when Select Items parameters are included.

  • Remove dependency on the Trilead API plugin (CTR-1379, CTR-1351)

    The CloudBees License Manager plugin’s dependency on the Trilead API plugin was not installed in bootstrap scope, preventing the previous release to be used by the product.

    The CloudBees License plugin no longer relies on the Trilead API plugin as the area of code has been refactored.

    This update only affects installations that use the xref:release-notes:plugins:cloudbees-license-plugin/index.adoc[CloudBees License Manager plugin

  • CloudBees License Manager plugin not showing up in the setup wizard on Jenkins 2.217+ (CTR-1295)

    Jenkins 2.216 replaced js-builder with webpack. Since this release, the CloudBees Assurance Plugin and the CloudBees License Plugin both failed to load and display in the setup wizard.

    With this fix, the frontend toolchain now uses webpack and is compatible with Jenkins 2.217+.

    This update only affects installations that use the CloudBees Assurance plugin and the CloudBees License Manager plugin.

  • CloudBees Pipeline: Templates Plugin test failures in PCT (NGPIPELINE-689)

    The PCT was failing for the cloudbees-workflow-template plugin.

    We upgraded the parent pom to allow PCT to pass for the cloudbees-workflow-template plugin.

    This update only affects installations that use the CloudBees Pipeline: Templates Plugin.

  • GovernancePipelineTemplatesFolder has "placeholder display name" (NGPIPELINE-716)

    When configuring a folders-plus item restriction, an option under This folder can contain the following items was placeholder display name.

    This placeholder text has been removed from the GUI.

  • Catalog templates incompatible with Checkpoints (NGPIPELINE-930)

    Pipeline restarts from a Checkpoint were failing if the Pipeline was defined using a Pipeline Template from a Pipeline Template Catalog. Pipelines were built from scratch instead of resuming from the Checkpoint.

    With this fix, Pipelines defined using Pipeline Templates from Pipeline Template Catalogs are now able to resume from Checkpoints correctly.

Known issues

Critical CloudBees Jenkins Enterprise 1.X upgrade/patch required by March 31, 2020

Docker has restored the repositories that were unavailable and were causing CloudBees Jenkins Enterprise (CJE) 1.x controllers and workers to not initialize earlier today. However, Docker will be permanently shutting down repositories on which CJE1.X relied on as of March 31, 2020.

To avoid controller and worker failures, you must do one of the following: * Upgrade to CloudBees Jenkins Enterprise 1.11.27 OR * Patch controllers and workers on older versions. The patch cannot be applied to version 1.11.11 and earlier.

If left in its current state, after Docker shuts down these repositories on March 31, 2020, CJE 1.X controllers and workers will not initialize. To clarify, these are the virtual machines that are created and managed by the ‘cje’ command line tool, not Operations Center, Managed Masters, or build agents.

  • Global build discarders configuration isn’t loaded from disk (JENKINS-61688)

    The global build discarder configuration gets saved, but it’s never loaded.

    On every restart, Jenkins 2.221+ will always start with the "Job Build Discarder" configured, which means

    • Any custom global build discarder configuration is lost.

    • Users who don’t want background build discarders get the default one.

Upgrade notes

End of life announcement

After assessing the viability of our supported plugins, CloudBees will no longer support the CloudBees VMware Pool Autoscaling Plugin after April 30, 2020.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.