A bug introduced in Jenkins 2.96 will downgrade Script Security Plugin to version 2.18.1, possibly resulting in cascading failures to load other plugins (and reintroducing security issues). We recommend updating Script Security Plugin to its newest release and immediately restarting Jenkins to resolve this issue.
Make sure detached plugins (plugins whose functionality used to be part of Jenkins itself) are installed when upgrading Jenkins past the version at which the plugin was detached.
(issue 48365)
Do not require CSRF crumb to be provided when the request is authenticated using API token.
(issue 22474)
Improve robustness and error handling of various file operations by switching to NIO.
(issue 47324, issue 48405)
Update Stapler from 1.253 to 1.254 to make the form that shows up when a URL requiring POST is accessed using a different HTTP verb work with CSRF protection enabled.
(issue 34254, Stapler changelog)
Fix a performance regression in Jenkins 2.86 due to lock contention in ExtensionList.
(issue 48505)
Trigger SecurityListener#loggedIn events on programmatic login during self-registration when using HudsonPrivateSecurityRealm.
(issue 48383)
Developer: Capture more authentication-related events in SecurityListener.
(issue 27027)
Developer: Deprecate hudson.util.Service in favor of Java's ServiceLoader.
(pull 3191)
Developer: Introduce Cause.UserIdCause(String) constructor, which allows creating causes for specified users without switching the user context.
(pull 3162)