CloudBees Jenkins Platform Client Master 22.214.171.124
RELEASED: Public: 2019-11-21
Security advisory CloudBees Security Advisory 2019-11-21
This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.
user set a 'blank' probe command for a node, an odd and unrelated exception was shown in the logs. With this fix, a blank command is treated as a command failure, and the cause is displayed in the node monitor and in the logs.
5.28. Stored XSS could have been submitted on group description, and
anyone who checked the group description via tooltip would then trigger
an XSS. With this fix, we now use MarkupFormatter to transform the
content of the group’s description depending on what is configured in
the Global Security section.
126.96.36.199. In some cases, when the connection between master and OC
failed, it was retried with a deprecated and insecure connector
(ClassicConnector). With this fix, we have disabled ClassicConnector (by
default), so it’s not used.
188.8.131.52. An XSS vulnerability was possible when an item with a
malicious display name was shown in the Move/Copy/Promote browser bar.
With this fix, user input is sanitized before adding it to the HTML
source, preventing an XSS vulnerability.
The previously provided version of the Jira plugin, 3.0.9, bundled Jackson 1.x in its dependencies which made it vulnerable to CVE-2017-7525. The upgrade to Jira plugin version 3.0.10 excludes these Jackson libraries.
Under certain circumstances, Jenkins may “hang” with the following conditions:
The Jenkins java process is running in a waiting state.
Jenkins is effectively down.
Nothing is logged.
Sometimes, after numerous restarts, the Jenkins service may start up again normally.
The root cause for this issue is that the Jenkins service hangs immediately before it forks the child process that starts Jetty and Jenkins. Although the Java process is running, nothing is logged, because Jenkins has not yet started and is not yet listening on any port.
NOTE: This issue affects a very small number of CloudBees customers. You only need to take action if you are directly affected by this issue: if you are not experiencing this issue, no action is necessary.
A workaround is available in the CloudBees Support Knowledge Base article Jenkins intermittently fails to restart on RHEL 7 and CentOS 7.