Upgrading to Jenkins LTS 2.107.x

Each section covers the upgrade from the previous LTS release, the section on 2.107.1 covers the upgrade from 2.89.4.

Upgrading to Jenkins LTS 2.107.3

Jenkins user database no longer allows user signup with unsafe characters

The Jenkins user database now restricts user names for user signup. Only alphanumeric, dash, and underscore characters are allowed.

To change what user names are legal, set the system property hudson.security.HudsonPrivateSecurityRealm.ID_REGEX to a regular expression that any legal user name must match.

Upgrading to Jenkins LTS 2.107.2

No notable changes requiring upgrade notes.

Upgrading to Jenkins LTS 2.107.1

Whitelist for Remoting and XStream (JEP-200)

To prevent further security issues related to unsafe deserialization of Java objects, we switched to a whitelist for Remoting (the communication library mostly used between agents and master) and XStream (the XML serialization library). This change means that only classes considered to be safe to (de)serialize will now be (de)serialized.

See the announcement blog post for update guidelines. Many plugins require updates to be compatible with this new restriction (list), please read the guide carefully.

XML files are now stored as XML 1.1

Jenkins now creates XML 1.1 files to be more accepting of unusual contents. The XML processing instruction in those XML files will now indicate the version 1.1 instead of 1.0 as before:

<?xml version="1.1" encoding="UTF-8" ?>

This change may result in Jenkins refusing to load or parse malformed files differently from previous releases: For example, we have received a report (JENKINS-50126) that it now refuses to load XML files from disk that do not start with an XML processing instruction, but instead with a line break (empty line).

Previous versions of Jenkins cannot read XML 1.1 files, so downgrading Jenkins to an earlier release will result in errors. In many cases, it should be sufficient to just replace 1.1 with 1.0 to make them readable again, but note that downgrades of Jenkins are generally unsupported.

Updating Jenkins jobs and views by XML now resets unspecified fields

In previous releases, updating jobs and views by XML left fields at their old value if not defined in the new XML file that the job or view is being updated with. This long-standing bug has now been fixed, and Jenkins will reset unspecified fields to their default value, instead of retaining the previously defined value. This impacts the Remote API (POST config.xml), the CLI (update-job and similar commands), and any plugins using the same mechanisms, such as Job DSL Plugin.

CSRF crumb no longer required when authenticating using API token

It is no longer necessary to provide a CSRF crumb when sending an HTTP request with Basic authentication that provides the authenticating user’s API token in place of a password.

Known issues

This is a list of confirmed regressions introduced in this release.