Page 5

• JEP-200: Remoting / XStream whitelist integrated into Jenkins core

  There is a newer version of the announcement for Jenkins administrators. Please see this blogpost. Overview JEP-200 has been integrated into Jenkins weekly builds and (if all goes well) will be a part of the next LTS line. In a nutshell, this change is a security hardening measure to be less permissive about deserializing Java classes defined in the Java Platform or libraries bundled with Jenkins. For...

  Jesse Glick January 13, 2018
• Security updates for Jenkins core

  We just released security updates to Jenkins, versions 2.95 and 2.89.2, that fix two security vulnerabilities. For an overview of what was fixed, see the security advisory. We usually announce core security updates well in advance on the jenkinsci-advisories mailing list, to give Jenkins administrators time to schedule a maintenance. Additionally, we try to align security updates with the regular LTS schedule. We have...

  Daniel Beck December 14, 2017
• Security updates for Jenkins core

  We just released security updates to Jenkins, versions 2.89 and 2.73.3, that fix two low-severity security vulnerabilities. For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS upgrade guide. Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security....

  Daniel Beck November 8, 2017
• Security updates for multiple Jenkins plugins

  Multiple Jenkins plugins received updates today that fix several security vulnerabilities. Active Choices (uno-choice) Build-Publisher Dependency Graph Viewer global-build-stats Additionally, the Multijob Plugin also received a security update several weeks ago. For an overview of these security fixes, see the security advisory. Active Choices Plugin distribution had been suspended since April due to its mandatory dependency on the suspended Scriptler Plugin. That dependency has been made optional, so...

  Daniel Beck October 23, 2017
• Important security updates for Jenkins core and plugins

  We just released security updates to Jenkins, versions 2.84 and 2.73.2, that fix several security vulnerabilities. Additionally, we published a new release of Swarm Plugin whose client contains a security fix, and Maven Plugin 3.0 was recently released to resolve a security issue. Users of Swarm Plugin and Maven Plugin should update these to their respective newest versions. For an overview of what...

  Daniel Beck October 11, 2017
• Important security updates for multiple Jenkins plugins

  Multiple Jenkins plugins received updates today that fix several security vulnerabilities, including multiple high severity ones. We strongly recommend updating the following plugins as soon as possible: Blue Ocean Pipeline: Groovy Plugin Script Security Plugin Less severe security updates have been released for these plugins: Config File Provider Plugin Datadog Plugin Deploy to container Plugin DRY Plugin Pipeline: Input Step Plugin Static Analysis Utilities Plugin Additionally, the OWASP Dependency-Check Plugin recently also...

  Daniel Beck August 7, 2017
• Security updates for multiple Jenkins plugins

  Multiple Jenkins plugins received updates today that fix several security vulnerabilities, including high severity ones: Docker Commons Plugin Git Plugin GitHub Branch Source Plugin Parameterized Trigger Plugin Periodic Backup Plugin Pipeline: Build Step Plugin Pipeline: Groovy Plugin Poll SCM Plugin Role-based Authorization Strategy Plugin Script Security Plugin Sidebar Link Plugin Subversion Plugin Additionally, the SSH Plugin received a security update a few days ago. For an overview of what was fixed, see the security...

  Daniel Beck July 10, 2017
• Important security updates for Jenkins core

  We just released security updates to Jenkins, versions 2.57 and 2.46.2, that fix several security vulnerabilities, including a critical one. That critical vulnerability is an unauthenticated remote code execution via the remoting-based CLI. When I announced the fix for the previous vulnerability of this kind, I announced our plans to revisit the design of the CLI that enabled this class of vulnerabilities. Since...

  Daniel Beck April 26, 2017
• New, safer CLI in 2.54

  In response to the zero-day vulnerability we fixed in November, I wrote the following: Moving forward, the Jenkins security team is revisiting the design of the Jenkins CLI over the coming weeks to prevent this class of vulnerability in the future. If you are interested in participating in that discussion, please join in on the jenkinsci-dev@ mailing list. In early February, several project...

  Daniel Beck April 11, 2017