// to allow disabling hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true // to force enabled hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = false
Each section covers the upgrade from the previous LTS release, the section on 2.222.1 covers the upgrade from 2.204.6.
No notable changes requiring upgrade notes.
No notable changes requiring upgrade notes.
Jenkins 2.222.2 release was not delivered to the downloads site or to the artifact repository. No notable changes requiring upgrade notes.
| 2.222.1 and 2.204.6 were released on the same day, and both contain the same security fixes. This upgrade guide only covers the upgrade from 2.204.6. See its upgrade guide for information related to upgrading from 2.204.5, including all information related to security fixes common to both releases. |
The global build discarder configuration is saved when the administrator modifies it, but is not loaded when Jenkins restarts. The default global build discarder configuration is used when Jenkins restarts.
On every restart, Jenkins 2.222.1 will start with the default build discarder configured. That means:
Any custom global build discarder configuration is lost on restart
Users who don’t want background build discarders get the default one
Jenkins will by default periodically run build discarders configured in projects, even when no builds are currently running. This may delete old builds of projects that have been configured with a more aggressive build discarder configuration since the last build was run.
We recommend reviewing project configurations for aggressive build discarder settings before upgrading Jenkins if this change in behavior could result in unexpected data loss.
| We recommend creating backups of your Jenkins configuration and data regularly. |
Jenkins will automatically enable CSRF protection with the default crumb issuer if it was disabled before. The ability to not have CSRF protection enabled has been deprecated and removed from the UI.
API clients should authenticate using API tokens, which doesn’t require CSRF crumbs since 2.96.
Set the system property hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to true on startup to disable CSRF protection as well as the configuration UI for it.
This is an unsupported option and may be removed in the future.
While Jenkins is running, the configuration UI can be locked/unlocked by running one of the following commands in the script console:
// to allow disabling hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true // to force enabled hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = false
This will not immediately change the configured crumb issuer; the Configure Global Security form must be submitted once to change the setting accordingly.
Inbound TCP Agent Protocol versions 1, 2, and 3 (also known as JNLP Protocols or Java Web Start Protocols) have been removed. These protocols have been deprecated since Jenkins 2.75 in 2017.
SSH Build Agents Plugin uses the latest agent.jar, but other agent types may need to have their agent.jar updated manually.
To reduce the number of times that browser password auto-fill will inappropriately fill in saved credentials, the password form fields used in Jenkins configuration forms have been redesigned.
In case this change causes problems, it can be reverted by setting the system property hudson.Functions.hidingPasswordFields to true.
In 2017 the Overall/RunScripts, Overall/UploadPlugins, and Overall/ConfigureUpdateCenter were announced as potentially dangerous permissions and hidden from view in Matrix Authorization Plugin and Role-based Strategy Plugin to prevent accidental misconfigurations (2017-04-10 security advisory).
These permissions are now deprecated and no longer used in Jenkins core.
Configurations which grant any of these permissions while not granting Overall/Administer will no longer work as before, as Jenkins now requires Overall/Administer permission for features previously governed by these permissions.
Custom authorization strategies that grant Overall/Administer without implying one or more of those permissions will no longer work as expected as a result.
Plugins are also expected to switch from requiring these deprecated permissions to requiring Overall/Administer instead, resulting in further unexpected behavior changes in these configurations.
Network discovery features, DNS multicast and UDP broadcast, were previously disabled and discouraged because of various problems, including SECURITY-1641 in Jenkins Security Advisory 2020-01-29. They have now been removed without replacement.
Swarm Plugin needs to be updated to version 3.18 or above, otherwise the error described in JENKINS-61029 occurs. This also removes the network discovery capability of the plugin.
Instances with plugins that depend on specific details of the Jenkins UI (like Simple Theme plugin) may experience issues with this release and may need to be updated. In the case of the Simple Theme plugin, theme maintainers may need to adapt the theme to the UI changes.
The resource file jenkins-slave.xml has been removed as it’s been unused in Jenkins core since 2017.
WMI Windows Agents Plugin needs to be updated to version 1.3.1 or newer (released in March 2017).