CloudBees Jenkins Enterprise 1.11.30
Based on Jenkins
This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform, CloudBees Jenkins Enterprise and CloudBees Core.
Fix WikiText Plugin security issues (FNDJEN-2010)
Wikitext Plugin 3.9 and earlier does not escape the formatted text using Media Wiki, Textile and TWiki syntax formatters.
This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.
Use Wikitext Plugin 3.12. This version escapes the formatted text before printing it out.
Fix EC2 security issues (FNDJEN-1985)
Connections to windows instances neither check the host name, nor the certificate used when using HTTPS.
An option on the template configuration view has been provided to force this check. A new admin monitor warns about existing templates without this option checked.
Missing permission check lead to SSRF in VMware Autoscaling Plugin (CTR-1293)
When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without
CONFIGUREpermissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.
With this fix, a permission has been added so users without
CONFIGUREpermission now get an authorization error when attempting to call the validation endpoint.
This update only affects installations that use the CloudBees VMware Autoscaling Plugin.
CloudBees Update Center Plugin library upgrade (CTR-1450)
We upgraded the bcprov-jdk15on library dependency to the more stable version 1.64.
This update only affects installations that use the CloudBees Update Center Plugin.
CloudBees Jenkins Enterprise License Entitlement Check new public API (CTR-1466)
We added a new public API to the CloudBees Jenkins Enterprise License Entitlement Check plugin that exposes the product name.
Add Matrix to directive generator (NGPIPELINE-624)
Matrix-related directives were not available in the Directive Generator.
We have added Matrix-related directives to the Directive Generator, including "matrix", "axes", "axis", "excludes", and "exclude".
Broken worker-remove operation (CPTL2-6304)
On an Anywhere installation, the worker-remove operations was issuing an error.
The operation has been fixed and is able to complete now.
Analytics plugin was sending a wizard login even on regular login after restart (FNDJEN-1904)
The Analytics plugin was sending the "Admin password step displayed" event after the setup wizard was completed.
This issue has been fixed.
Adapt product link color in the refreshed Jenkins UI (FNDJEN-1989)
Some links were not being correctly displayed with the new UI. That is now fixed.
CloudBees SSH Build Agents Plugin intermittent SSH error since version 2.5 (CTR-1444)
The ChannelExec close without parameters was closing the underlying ssh channel connection synchronously in the CloudBees SSH Build Agents Plugin since version 2.5, making the connection unstable.
With this fix, ChannelExec is now closed asynchronously using close(false) instead of the closeable close method.
This update only affects installations that use the CloudBees SSH Build Agents Plugin.
Reduce lock contention in the CloudBees Role-Based Access Control (RBAC) plugin (CTR-1267)
To reduce UI blocking issues when using RBAC with large user groups or when the user database is slow, we reduced lock contention in the CloudBees Role-Based Access Control plugin.
Operations Center Client Plugin dependency upgrade (CTR-1427)
We now use the Snakeyaml Plugin instead of the artifact.
This update only affects installations that use the Operations Center Client Plugin.
NullPointerException on LicenseRootCAPeriodicWork (CTR-1553)
Internal API change, LicenseManager.getInstanceOrDie().getLicenseKeyData() now requires NullCheck.
The fix for JENKINS-59083 caused deadlocks (NGPIPELINE-951)
The Pipeline: Job Plugin versions 2.35, 2.36, and 2.37 could cause Jenkins to hang indefinitely in some cases due to deadlock.
With this fix, the Pipeline: Job Plugin version 2.38 no longer causes deadlocks.
This update only affects installations that use the Pipeline: Job plugin.
Checkouts of shared libraries should exclude contents of
The contents of the
src/test/folder in shared libraries was available to Pipelines, but this directory is commonly used to store tests for the library itself, and is not intended to be used by Pipelines.
With this fix, the contents of
src/test/in shared libraries are no longer available to Pipelines by default as a precaution for users who may not have realized that shared library test code should not be placed under
To restore the previous behavior that allowed access to files in src/test/, pass
-Dorg.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES=trueto the java command used to start Jenkins.
Parameter names for templates in Template Catalogs were not validated correctly (NGPIPELINE-1006)
If a parameter used in the
template.yamlfile for a template in a Pipeline Template Catalog was not a valid Java identifier, the template would silently fail to load.
With this fix, when a template is imported, the parameters are checked to make sure they are valid Java identifiers. If not, a validation error is displayed in the catalog import log and the import fails.
The Pipeline: Build Step Plugin incorrectly logged a warning when converting choice-like parameters (NGPIPELINE-1026)
Starting in version 2.10 of the Pipeline: Build Step Plugin, passing parameters to downstream jobs that use the Extended Choice Parameters Plugin or Active Choices Plugin caused an erroneous warning about parameter conversion to be printed to the build log.
With this fix, the warning about parameter conversion is no longer printed to the build log for parameters from the Extended Choice Parameters Plugin or Active Choices Plugin.
This update only affects installations that use the Pipeline: Build Step plugin.
Restart required to turn off polling for an SCM on a Pipeline job (NGPIPELINE-917)
When a Pipeline job was configured to poll an SCM for updates, it could not be configured to stop polling that SCM unless Jenkins was restarted.
With this fix, turning polling off for an SCM in a Pipeline job will now immediately disable polling for that SCM on that job.