CloudBees, Inc.

Jenkins OSS LTS 2.107.1-cb-3

New Features

Major JEP-200: XStream and Remoting now use whitelists

XStream and Remoting now use whitelists instead of blacklists

  • This change is a major security hardening, which protects instances from class deserialization attacks. See this page for more information.
  • This change has a high risk of regressions in Jenkins plugins. The list of affected plugins is available on this Wiki page. Such plugins need to be updated before the upgrade to this version. Please follow these upgrade guidelines
  • If you use home-made plugins, they may be affected by the change as well.
Major Use XML 1.1

Config files now use XML 1.1, which allows for the support of additional characters that are not considered legal in XML 1.0 documents. Configuration files generated by previous versions will be silently updated to the new version, and are not backwards compatible with older instances.

Downgrading to a previous version is generally discouraged, and will fail with numerous XML parsing exceptions when downgrading to a version older than this one, due to the configuration files having a declaration tag specifying that they are XML 1.1. If a downgrade must be performed, it will be necessary to perform a global find/replace operation on all XML files.

Minor JENKINS-46154

Update Remoting from 3.14 to 3.17 to integrate multiple fixes and improvements.

Minor Remove support for unbounded number of polling threads

Remove support for unbounded number of SCM polling threads. Previously, the default was infinite and could be set to between 10 and 100. Existing installations with unbounded SCM polling threads will now use the default of 10, and it is no longer possible to use a value outside of this range.

Minor JENKINS-22474

Do not require CSRF crumb to be provided when the request is authenticated using API token.

Minor JENKINS-47043

Introduce new hudson.lifecycle.ExitLifecycle to exit instead of restart.

Minor Update SSHD Module 2.0 to 2.4

Update SSHD Module 2.0 to 2.4 to update Apache Mina SSHD Core from 1.6.0 to 1.7.0, and fire authentication events in SecurityListeners when a user connects using SSH.

Minor JENKINS-43786

Re-style the Manage Jenkins page, including administrative monitors.

Minor Separate original and downstream dependency errors

When Jenkins fails to load plugins, show failures that users need to take action on separate from those due to other plugins failing to load.

Minor JENKINS-48638

Jenkins#getInstance() is now deprecated as its semantics have been a source of confusion for some time. Use #get() in typical cases and Jenkins#getInstanceOrNull() in rare cases (see Javadoc).

Minor JENKINS-47718

Deprecate the ambiguous User#getUser(String) in favor of the User#getById() or the new User#getOrCreateByIdOrFullName() methods.

Resolved issues

Minor JENKINS-21017

Updating Jenkins jobs and views by XML left fields at their old value if not defined in the new XML.

Minor JENKINS-48447

Fix HTTP 404 error when clicking on New View sidebar link from another view.

Minor JENKINS-48725

Update to task reactor 1.5 to prevent hanging of Jenkins on startup/reload when an initialization task throws an unhandled exception.

Known issues

None