CloudBees Git Validated Merge Plugin 3.31.1

1 minute read

RELEASED: Public: July 27, 2022

Security fixes

Git client plugin versions prior to 3.11.1 are vulnerable to man-in-the-middle attacks (BEE-21945)

Git client plugin versions prior to version 3.11.1 are vulnerable to man-in-the-middle attacks. Additionally, because the CloudBees Git Validated Merge plugin uses the Git client plugin to provide an SSH connection, it is also vulnerable.

This issue has been resolved. The Git client plugin now lets you select from the following options to verify the SSH keys that are presented by the Git repository host servers:

  • Accept first connection strategy (default) - Automatically adds keys to the known_hosts file for hosts that have not been seen before. This option prevents connections to previously seen hosts, if the keys have been modified.

  • Known hosts file - This option verifies that all host keys use the known_hosts file.

  • Manually provided keys - This option verifies that all host keys use a set of manually configured keys.

  • No verification - Does not verify host keys. This option is insecure, it is not recommended.

    To configure the host key verification strategy, select Manage Jenkins  Configure Global Security  Git Host Key Verification Configuration.

New features

None.

Feature enhancements

None.

Resolved issues

None.

Known issues

None.

Upgrade notes

None.