CloudBees Jenkins Enterprise 1.11.32

RELEASED: 2020-06-22

Based on Jenkins LTS2.235.1-cb-2

Rolling release

Security advisory

Security advisory

  • CloudBees Security Advisory 2020-06-22

    This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform, CloudBees Jenkins Enterprise and CloudBees Core.

Security fixes

New features

  • To reflect the needs of medium to larger organizations, two new permissions have been introduced with Jenkins v2.222 which enable a CloudBees Core administrator to delegate some parts of administration to a user without having to grant them the powerful Overall/Administrator permission.

    The two new permissions include:

    • Overall/Manage: safely grant a user the ability to manage a subset of CloudBees Core configuration options.

    • Overall/SystemRead: grant a user the ability to view most of CloudBees Core configuration options, but in read only mode.

      When using Role-based matrix authorization as your Global Security Authorization Strategy provided by the CloudBees Role-Based Access Control Plugin, the administrator can grant a user/group the Overall/Manage and/or Overall/SystemRead permission to enable this functionality.

      These new permissions are currently “Experimental” and disabled by default. To enable these new permissions, see Delegating Administration.

Feature enhancements

Resolved issues

  • Add JCasC compatibility to git-validated-merge plugin (FNDJEN-2084)

    Previous versions of git-validated-merge plugin were not tested to be compatible with JCasC.

    The git-validated-merge-plugin is now tested to be compatible with JCasC.

  • Remove Availability option incompatible with permanent agents (CTR-1813)

    In a CloudBees Jenkins Operations Center, creating a Permanent Agent with the Availability option Take this node off-line when idle" made the Jenkins instance crash because this Availability option is not compatible with Permanent Agents.

    The Take this node off-line when idle Availability option is now only possible for Shared Agents.

  • Script Security plugin depended on and bundled an outdated version of caffeine. (NGPIPELINE-1172)

    Script Security now depends on and bundles caffeine 2.8.2.

    This update only affects instances with the Script Security plugin.

  • PathRemover should abort early after seeing a large number of exceptions (NGPIPELINE-1073)

    In certain situations, it is possible for Jenkins to be unable to write or delete from disk during a build because of filesystem permissions. A customer reported a situation where this resulted in tens of thousands of FileSystmExceptions being thrown, which in turn ran the instance out of memory, triggering the OOM killer.

    Instead of logging a needlessly large number of these exceptions, we log a reasonable number, 100 or less, and fail the build instead of trying to continue.

Known issues

None.