CloudBees Jenkins Platform 2.222.42.0.2 Revision 2

1 minute read

RELEASED: 2020-11-25

Based on Jenkins LTS2.222.42-cb-1

Fixed release

Security advisory

Security advisory

Upgrade notes

Security omissions

In June we published a security advisory in which we mentioned fixing 3 CSRF vulnerabilities (CTR-1643, CTR-1644 and CTR-1644). We stated that these vulnerabilities were fixed in 2.235.1.2 and the fixed line 2.190.31.0.2 rev6. In fact, those releases contained those fixes as notified.

However, these vulnerabilities should have also been fixed in the subsequent releases of the 2.222 fixed line, but were not included due to a newly discovered issue with our release process. Specifically, the following releases should have included these fixes, but did not:

  • 2.222.41.0.1

  • 2.222.42.0.1

  • 2.222.42.0.2

Upon discovering this omission, we immediately analyzed the impact of this to our customers. We have confirmed that only these 3 issues (CTR-1643, CTR-1644 and CTR-1644) were omitted from those releases

We are producing a new security incremental (2.222.42.0.2 rev2) to address these vulnerabilities and we strongly recommend customers update to this version. We are treating this as a major incident and are already taking actions to fix the identified issue in our release process so that this cannot happen again.

Please accept our sincere apologies for this omission.