CloudBees Jenkins Enterprise 1.11.30

RELEASED: 2020-04-27

Based on Jenkins LTS2.222.1-cb-7

Rolling release

Security advisory

Security advisory

  • CloudBees Security Advisory 2020-04-27

    This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform, CloudBees Jenkins Enterprise and CloudBees Core.

Security fixes

  • Fix WikiText Plugin security issues (FNDJEN-2010)

    Wikitext Plugin 3.9 and earlier does not escape the formatted text using Media Wiki, Textile and TWiki syntax formatters.

    This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

    Use Wikitext Plugin 3.12. This version escapes the formatted text before printing it out.

  • Fix EC2 security issues (FNDJEN-1985)

    Connections to windows instances neither check the host name, nor the certificate used when using HTTPS.

    An option on the template configuration view has been provided to force this check. A new admin monitor warns about existing templates without this option checked.

  • Missing permission check lead to SSRF in VMware Autoscaling Plugin (CTR-1293)

    When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without CONFIGURE permissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.

    With this fix, a permission has been added so users without CONFIGURE permission now get an authorization error when attempting to call the validation endpoint.

    This update only affects installations that use the CloudBees VMware Autoscaling Plugin.

  • CloudBees Update Center Plugin library upgrade (CTR-1450)

    We upgraded the bcprov-jdk15on library dependency to the more stable version 1.64.

    This update only affects installations that use the CloudBees Update Center Plugin.

New features

Feature enhancements

  • CloudBees Jenkins Enterprise License Entitlement Check new public API (CTR-1466)

    We added a new public API to the CloudBees Jenkins Enterprise License Entitlement Check plugin that exposes the product name.

  • Add Matrix to directive generator (NGPIPELINE-624)

    Matrix-related directives were not available in the Directive Generator.

    We have added Matrix-related directives to the Directive Generator, including "matrix", "axes", "axis", "excludes", and "exclude".

Resolved issues

  • Broken worker-remove operation (CPTL2-6304)

    On an Anywhere installation, the worker-remove operations was issuing an error.

    The operation has been fixed and is able to complete now.

  • Analytics plugin was sending a wizard login even on regular login after restart (FNDJEN-1904)

    The Analytics plugin was sending the "Admin password step displayed" event after the setup wizard was completed.

    This issue has been fixed.

  • Adapt product link color in the refreshed Jenkins UI (FNDJEN-1989)

    Some links were not being correctly displayed with the new UI. That is now fixed.

  • CloudBees SSH Build Agents Plugin intermittent SSH error since version 2.5 (CTR-1444)

    The ChannelExec close without parameters was closing the underlying ssh channel connection synchronously in the CloudBees SSH Build Agents Plugin since version 2.5, making the connection unstable.

    With this fix, ChannelExec is now closed asynchronously using close(false) instead of the closeable close method.

    This update only affects installations that use the CloudBees SSH Build Agents Plugin.

  • Reduce lock contention in the CloudBees Role-Based Access Control (RBAC) plugin (CTR-1267)

    To reduce UI blocking issues when using RBAC with large user groups or when the user database is slow, we reduced lock contention in the CloudBees Role-Based Access Control plugin.

  • Operations Center Client Plugin dependency upgrade (CTR-1427)

    We now use the Snakeyaml Plugin instead of the artifact.

    This update only affects installations that use the Operations Center Client Plugin.

  • NullPointerException on LicenseRootCAPeriodicWork (CTR-1553)

    Internal API change, LicenseManager.getInstanceOrDie().getLicenseKeyData() now requires NullCheck.

  • The fix for JENKINS-59083 caused deadlocks (NGPIPELINE-951)

    The Pipeline: Job Plugin versions 2.35, 2.36, and 2.37 could cause Jenkins to hang indefinitely in some cases due to deadlock.

    With this fix, the Pipeline: Job Plugin version 2.38 no longer causes deadlocks.

    This update only affects installations that use the Pipeline: Job plugin.

  • Checkouts of shared libraries should exclude contents of src/test (NGPIPELINE-1020)

    The contents of the src/test/ folder in shared libraries was available to Pipelines, but this directory is commonly used to store tests for the library itself, and is not intended to be used by Pipelines.

    With this fix, the contents of src/test/ in shared libraries are no longer available to Pipelines by default as a precaution for users who may not have realized that shared library test code should not be placed under src/test/.

    To restore the previous behavior that allowed access to files in src/test/, pass -Dorg.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES=true to the java command used to start Jenkins.

  • Parameter names for templates in Template Catalogs were not validated correctly (NGPIPELINE-1006)

    If a parameter used in the template.yaml file for a template in a Pipeline Template Catalog was not a valid Java identifier, the template would silently fail to load.

    With this fix, when a template is imported, the parameters are checked to make sure they are valid Java identifiers. If not, a validation error is displayed in the catalog import log and the import fails.

  • The Pipeline: Build Step Plugin incorrectly logged a warning when converting choice-like parameters (NGPIPELINE-1026)

    Starting in version 2.10 of the Pipeline: Build Step Plugin, passing parameters to downstream jobs that use the Extended Choice Parameters Plugin or Active Choices Plugin caused an erroneous warning about parameter conversion to be printed to the build log.

    With this fix, the warning about parameter conversion is no longer printed to the build log for parameters from the Extended Choice Parameters Plugin or Active Choices Plugin.

    This update only affects installations that use the Pipeline: Build Step plugin.

  • Restart required to turn off polling for an SCM on a Pipeline job (NGPIPELINE-917)

    When a Pipeline job was configured to poll an SCM for updates, it could not be configured to stop polling that SCM unless Jenkins was restarted.

    With this fix, turning polling off for an SCM in a Pipeline job will now immediately disable polling for that SCM on that job.

Known issues

Critical CloudBees Jenkins Enterprise 1.X upgrade/patch required by March 31, 2020

Docker has restored the repositories that were unavailable and were causing CloudBees Jenkins Enterprise (CJE) 1.x controllers and workers to not initialize earlier today. However, Docker will be permanently shutting down repositories on which CJE1.X relied on as of March 31, 2020.

To avoid controller and worker failures, you must do one of the following: * Upgrade to CloudBees Jenkins Enterprise 1.11.27 OR * Patch controllers and workers on older versions. The patch cannot be applied to version 1.11.11 and earlier.

If left in its current state, after Docker shuts down these repositories on March 31, 2020, CJE 1.X controllers and workers will not initialize. To clarify, these are the virtual machines that are created and managed by the ‘cje’ command line tool, not Operations Center, Managed Masters, or build agents.

Upgrade notes

End of life announcement

After assessing the viability of our supported plugins, CloudBees will no longer support the CloudBees VMware Pool Autoscaling Plugin after April 30, 2020.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

License certificate expiration

On June 22nd, 2020, the certificate used to sign all existing CloudBees licenses for Jenkins-based products will expire. This certificate is used to verify the authenticity of the customer’s CloudBees license. Customers must install a new license (generated with the new certificate) before June 22, 2020. Existing licenses will become invalid as of June 22, 2020. See the following articles for instructions on how to upgrade your license: Preparing for the new CloudBees License Certificate Upgrading for the new CloudBees License Certificate