CloudBees Jenkins Platform 220.127.116.11
Based on Jenkins
This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees CI.
To reflect the needs of medium to larger organizations, two new permissions have been introduced with Jenkins v2.222 which enable a CloudBees Core administrator to delegate some parts of administration to a user without having to grant them the powerful Overall/Administrator permission.
The two new permissions include:
Overall/Manage: safely grant a user the ability to manage a subset of CloudBees Core configuration options.
Overall/SystemRead: grant a user the ability to view most of CloudBees Core configuration options, but in read only mode.
When using Role-based matrix authorization as your Global Security Authorization Strategy provided by the CloudBees Role-Based Access Control Plugin, the administrator can grant a user/group the Overall/Manage and/or Overall/SystemRead permission to enable this functionality.
These new permissions are currently “Experimental” and disabled by default. To enable these new permissions, see Delegating Administration.
The CloudBees GitHub Reporting Plugin has been added to the CloudBees Assurance Program (CAP).
The CloudBees Slack Integration Plugin has been added to the CloudBees Assurance Program (CAP).
Jenkins UI improvements (FNDJEN-2001), (FNDJEN-2076), FNDJEN-1902)
The following enhancements were made to the Jenkins UI as part of CloudBees' ongoing efforts to improve the usability of the UI:
Buttons were restyled.
The page footer was updated.
The user system fonts are now used.
Font sizes are now consistent across the application.
Replace Oracle JRE with OpenJDK in Windows distributables (PRD-2460)
Oracle JRE has been replaced with OpenJDK in Windows distributables. This was necessary to prevent potential Oracle licensing violations.
rootCA certificate will expire Oct 2021 (CTR-1724)
The rootCA certificate bundled with the CloudBees Jenkins Enterprise License Entitlement Check plugin will expire in Oct 2021, breaking the ability to check for new plugins or updates.
We added a new root certificate and code support for checking against multiple signing certificates.
Add telemetry for CloudBees High Availability (CTR-1898)
Add JCasC compatibility to Trigger Restrictions Plugin (CTR-1568, FNDJEN-2081)
JCasC compatibility with the CloudBees Skip Next Build Plugin (CTR-1567)
Outdated okhttp v2.7.5 library does not support modern features including TLS 1.3. (NGPIPELINE-374)
Updated to use newer okhttp3 APIs with v3.12.12.
This update only affects instances with the GitHub Branch Source plugin.
CloudBees High Availability failure in Operations Center because of the
A misaligned version in a dependency caused a
The dependency is not needed anymore and has been removed from the product.
The Jenkins High Availability plugin not working properly on CB products based on LTS 2.235 (CTR-1855)
FORCE_SESSION_TRACKING_BY_COOKIE_PROPproperty has to be disabled to get CloudBees High Availability (HA) working properly.
Confirmation window text misleading for Personalized Slack Messaging (STICKY-490)
The confirmation message displayed when deleting a user refers to the Slack token instead of the user.
The confirmation message now refers the user.
Update wording in Slack integration user administration (STICKY-489)
There were some typos and references to "Jenkins" in the user configuration page for the CloudBees CI Personalized Slack Messaging feature.
With this fix, the text now refers to "CloudBees CI" and the typos have been corrected.
Slack test message is misleading (STICKY-487)
The test message for the Personalized Slack Messaging feature was the same as the welcome message; however, the messages serve different purposes so the content was misleading.
With this fix, the test message is unique from the welcome message and conveys to the user the correct purpose of the message.
Add JCasC compatibility to git-validated-merge plugin (FNDJEN-2084)
Previous versions of git-validated-merge plugin were not tested to be compatible with JCasC.
The git-validated-merge-plugin is now tested to be compatible with JCasC.
Remove Availability option incompatible with permanent agents (CTR-1813)
In a CloudBees Jenkins Operations Center, creating a Permanent Agent with the Availability option Take this node off-line when idle" made the Jenkins instance crash because this Availability option is not compatible with Permanent Agents.
The Take this node off-line when idle Availability option is now only possible for Shared Agents.
Script Security plugin depended on and bundled an outdated version of caffeine. (NGPIPELINE-1172)
Script Security now depends on and bundles caffeine 2.8.2.
This update only affects instances with the Script Security plugin.
PathRemover should abort early after seeing a large number of exceptions (NGPIPELINE-1073)
In certain situations, it is possible for Jenkins to be unable to write or delete from disk during a build because of filesystem permissions. A customer reported a situation where this resulted in tens of thousands of FileSystmExceptions being thrown, which in turn ran the instance out of memory, triggering the OOM killer.
Instead of logging a needlessly large number of these exceptions, we log a reasonable number, 100 or less, and fail the build instead of trying to continue.