We just released security updates to Jenkins, versions 2.154 and LTS 2.150.1, that fix multiple security vulnerabilities. Since 2.150.1 is the first release in the new LTS line, we also released 2.138.4, a security update for the previous LTS line. This allows administrators to install today’s security fixes without having to upgrade to the new LTS line immediately.
In the Jenkins core security updates released in August and October, we also included security improvements that can be disabled by setting various system properties. Those changes are an essential part of the SECURITY-595 fix, so we strongly recommend not disabling them for any reason. Previously published documentation has been updated.