CloudBees Jenkins Enterprise 1.11.31

RELEASED: 2020-05-26

Based on Jenkins LTS2.222.4-cb-1

Rolling release

Security advisory

Security advisory

  • CloudBees Security Advisory 2020-05-26

    This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform, CloudBees Jenkins Enterprise and CloudBees Core.

Security fixes

  • wikitext SecureOutputTest.outputIsSecureTest fails on the PCT (FNDJEN-2181)

    Tests were failing with the new Antisamy plugin.

    These tests have been fixed.

  • Open Redirect vulnerability on the Single Sign-On (SSO) process (CTR-1483)

    As part of the SSO process, the CloudBees Jenkins Operations Center (CJOC) redirects the user to the Master URL to finish the SSO process. The master was vulnerable to Host Header injection, leading to an Open Redirect vulnerability which may allow an attacker to steal a victim’s SSO session.

    This issue is due to an incomplete fix of CTR-1098, announced in the 2020-03-09 Security Advisory and wrongly called "CSRF in Authentication Mechanism in SSO". The vulnerability was not cross-site request forgery (CSRF), but an Open Redirect vulnerability.

    Masters now only support SSO requests from Hosts (or X-Forwarded-Host) matching the configured Jenkins Root URL. Any attempt to use a different URL will redirect to the configured Jenkins Root URL.

    This can be disabled in the Operations Center by setting the property com.cloudbees.opscenter.server.sso.SSOConfiguration.masterRootURLStrictCheckingDisabled=true, but will make the product insecure, so it should only be used as a temporary workaround. See Disabling the verification of the Jenkins Root URL for more information.

New features

  • Tier 1 plugin support for Jenkins Configuration as Code (JCasC) (FNDJEN-1266)

    CloudBees tier 1 plugins now support JCasC. This is available for CloudBees Core, CloudBees Jenkins Distribution, and CloudBees Jenkins Platform.

    Go to the CloudBees supported platforms page for your product to see a list of the supported plugins.

Feature enhancements

  • Expose additional configuration options for Multibranch Pipelines in template.yaml (NGPIPELINE-1025)

    Multibranch Pipeline Templates in Pipeline Template Catalogs are now able to configure a Branch Property Strategy in template.yaml. Documentation for configuring these options as well as SCM behaviors can be found in the newly published Multibranch Pipeline Template syntax guide.

  • As a CloudBees Core Administrator, I want to be able to configure SSL off-loading at the ingress controller and leverage Server Name Indication (SNI). (CTR-1650) (CPLT2-6395)

    When setting up transport layer security (TLS) offloading at the Ingress Controller level, the Nginx Ingress Controller uses server name indication (SNI) to serve several hosts to clients. The Operations Center Agent did not support SNI when discovering Operations Center endpoints, and it wasn’t working in this kind of setup unless the certificate was configured as default, which was not always acceptable.

    With this fix, we switched the HTTP client used to discover Operations Center endpoints to an implementation that supports SNI.

  • Analytics for the Declarative Pipeline Migration Assistant plugin (NGPIPELINE-757)

    A new event was added to track the usage of the Declarative Pipeline Migration Assistant plugin.

  • Performance improvements to the Branch API Plugin WorkspaceLocatorImpl (NGPIPELINE-1071)

    The Branch API Plugin made a remote call to an agent every time it looked up the workspace for a Multibranch Pipeline project.

    The Branch API Plugin now caches workspace locations to avoid unnecessary remoting calls when looking up workspaces for Multibranch Pipeline projects.

  • WorkspaceLocatorImpl should not use Node instances as monitors (NGPIPELINE-1118)

    The Branch API Plugin locked Node objects during workspace cleanup operations, which could lead to unnecessary lock contention.

    The Branch API Plugin no longer locks Node objects during workspace cleanup operations.

Resolved issues

  • API fails on templatized job: NotExportableException: class GradleInstallation doesn’t have @ExportedBean (CPLT2-6466)

    Using the Jenkins export feature (for example, …/api/json?depth=1) on a templatized job could cause an error in case certain special template attribute controls were used, such as tool installations.

    The exported ‘values’ property of a templatized job now uses the persisted form of attribute controls, typically strings rather than the model objects they name, in cases where the live form would cause an export error. Note that the ‘depth’ query parameter is deprecated and should never be used; instead use ‘tree’ and specify those fields you wish to retrieve.

  • Issue in view-job-filters filtering by disabled (CPLT2-6274)

    The View Job Filters plugin had a job status filter purporting to let you filter in/out disabled jobs, which did not work for Pipeline.

    A generalized check was added to handle both traditional and Pipeline job types.

  • [JENKINS-61854] "Test Ldap Settings" button stopped functioning. (FNDJEN-2184)

    The button "Test LDAP Settings" stopped working on Jenkins 2.14 and later.

    The button has been fixed.

  • Multibranch Pipelines based on Pipeline Templates cannot enable "Suppress automatic SCM triggering" (NGPIPELINE-1025)

    Multibranch Pipelines based on Pipeline Templates from Pipeline Template Catalogs could not enable "Suppress automatic SCM triggering" because a "Branch Property Strategy" could not be configured.

    Multibranch Pipelines based on Pipeline Templates from Pipeline Template Catalogs are now able to configure a "Branch Property Strategy".

  • The Pipeline:Job plugin had a JavaScript error with IE11 (NGPIPELINE-1145)

    The Pipeline console view did not work correctly in Internet Explorer 11 due to use of unsupported JavaScript functions.

    The Pipeline console view now only uses JavaScript functions that are supported by Internet Explorer 11.

  • Parameter names for templates in Pipeline Template Catalogs are not validated correctly. (NGPIPELINE-1006)

    If a parameter used in the template.yaml file for a Pipeline Template in a Pipeline Template Catalog was not a valid Java identifier, the template would silently fail to load.

    When a template is imported, the parameters are checked to make sure they are valid Java identifiers. If not, a validation error is displayed in the catalog import log and the import fails.

  • Using a properties step with a Pipeline Template breaks the connection to the root template (NGPIPELINE-905)

    Using the properties step inside of a non-Multibranch Pipeline created from a Pipeline Template in a Pipeline Template Catalog caused the Pipeline to become permanently detached from the Pipeline Template.

    Using the properties step inside of a non-Multibranch Pipeline created from a Pipeline Template in a Pipeline Template Catalog no longer causes the Pipeline to become permanently detached from the Pipeline Template. Pipeline Template Catalogs must be reimported in order for the fix to take effect. Jobs that were already detached from their template will not be fixed automatically; they must be manually recreated from a Pipeline Template.

  • Library step cannot be used at top of Declarative Pipeline with entire Pipeline timeout rule (NGPIPELINE-1125)

    In a Declarative Pipeline, use of the library step could cause validation of top-level timeout policies to show misleading validation failures.

    A code change was made to allow the library step to be treated similarly to @Library when placed above the opening line of the plpeline { …​ } block.

  • [JENKINS-62063] BlueOcean UI is broken due to ClassCastException (NGPIPELINE-1169)

    The BlueOcean UI is broken due to ClassCastException when using the CloudBees Pipeline: Templates Plugin and the Pipeline: Multibranch with defaults Plugin.

    A check was added to ensure the Pipeline instance is castable to the appropriate type.

  • The CloudBees Fast Archiving Plugin used a check that was not thread safe (CTR-1660)

    With this fix, the archiveArtifacts step can be used in parallel blocks and in filesystems that are not high performance filesystems.

  • Managed Master provisioning error (CTR-1716)

    When provisioning a Managed Master using Configuration as Code (CasC) for Masters, an internal application programming interface (API) was returning the wrong value. This erroneous value caused the provisioning to fail.

    With this fix, the API call now returns an appropriate value, and Configuration as Code (CasC) for Masters masters provisioning works as expected.

  • Masters provisioning in Configuration as Code (CasC) for Masters is broken if security.xml is deleted (CTR-1138)

    When using Configuration as Code (CasC) for Masters, there was an issue provisioning masters when the security file,JENKINS_HOME/core-casc-security.xml, did not exist.

    Now the provisioning process continues normally even when the security file is missing.

  • Check the availability of the Configuration as Code (CasC) for Masters bundle when the CM-OC connection is done (CTR-758)

    If a warning was already enabled related to the unavailability of the configuration bundle because of Client Master-Operations Center connection issues, when the connection was restored the warning would persist until the periodic work task was executed.

    With this fix, whenever a master is connected to the Operations Center, a request for the configuration bundle is completed to avoid delays in updating administrator warnings.

Known issues

None