Upgrading to Jenkins LTS 2.138.x

Each section covers the upgrade from the previous LTS release, the section on 2.138.1 covers the upgrade from 2.121.3.

Upgrading to Jenkins LTS 2.138.2

Security hardening to prevent XSS vulnerabilities

A security hardening to prevent cross-site scripting vulnerabilities from being exploitable was applied to views in Jenkins. This can in rare cases result in views having some content escaped twice (typically resulting in visible HTML entities).

We consider these effects to be a bug in plugins that either opt out of the default test suite, or use outdated toolchains. We track known affected plugins and their status on the Jenkins wiki.

As a temporary workaround, this hardening can be disabled by setting the system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false.

Warning logged on first startup after upgrade

When starting Jenkins 2.138.2 for the first time, a warning like the following might be logged if the Job Config History Plugin is installed.

Oct 10, 2018 2:27:17 PM hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1 error
WARNING: Failed to instantiate Key[type=jenkins.telemetry.Correlator, annotation=[none]]; skipping this component
com.google.inject.ProvisionException: Unable to provision, see the following errors:

1) Tried proxying jenkins.telemetry.Correlator to support a circular dependency, but it is not an interface.

This does not appear to result in further problems. Subsequent restarts of Jenkins will no longer log this warning.

Security hardening impacts use of GitHub OAuth Plugin

A security hardening in 2.138.2 and 2.146 can result in problems accessing jobs with GitHub OAuth Plugin due to a bug in the plugin.

As a workaround, it is possible to temporarily disable part of the security hardening by setting the Java system properties hudson.model.AbstractItem.skipPermissionCheck and hudson.model.Run.skipPermissionCheck to true.

Upgrading to Jenkins LTS 2.138.1

New login and user signup pages

The login and user signup pages have been redesigned. As a side effect, existing PageDecorator implementations will not be used on the redesigned pages.

See the announcement blog post for further information.

New API token system

The per-user API tokens that allow access to the HTTP remote API have been redesigned: API tokens can now be created and revoked, and are stored in a non-recoverable format.

See the announcement blog post for further information.

Disabled deprecated agent protocols

The deprecated Jenkins CLI Protocol versions 1 and 2, and Java Web Start Agent Protocol versions 1, 2, and 3 have been disabled.

If you still use these protocols (e.g. remoting-based CLI, or old slave.jar files on agents), you need to re-enable these protocols after upgrade, or upgrade the clients. The same recommendations as in the 2.121.x upgrade guide for remoting changes apply here.

Require GNU C Library 2.7 or above on Unix systems

Starting from this version, Jenkins requires GNU C Library version 2.7 or above. It makes some Linux distributions unsupported, in particular RHEL 5 and CentOS 5. See JENKINS-53924 and JENKINS-53832 for more info.