Upgrading to Jenkins LTS 2.19.x

Each section covers the upgrade from the previous LTS release, the section on 2.19.1 covers the upgrade from 2.7.4.

Upgrading to Jenkins LTS 2.19.4

JNLP agent protocol options weren’t correctly persisted

The JNLP agent protocol configuration could not be loaded from disk after a Jenkins restart.

If you customized these settings since 2.19.1, review that they are configured as expected.

Honor jenkins.model.Jenkins.slaveAgentPort again

A regression in Jenkins 2.0 caused Jenkins to ignore the System property jenkins.model.Jenkins.slaveAgentPort.

The previous behavior has been restored, and a new System property jenkins.model.Jenkins.slaveAgentPort added that, if set, will enforce the JNLP agent port on every Jenkins startup, and will not allow the value to be changed through the UI.

It can still be changed via Groovy scripting for troubleshooting purposes, but any change will be reverted on startup.

Text boxes on configuration screens will no longer stretch to accomodate long lines

The layout of job configuration screens will no longer break if users don’t insert extra line breaks to break long lines. Instead, the text box will allow horizontal scrolling.

Don’t spawn numerous threads on the agent build history page

The build history for specific agents has long caused numerous potentially long-running threads to spawn. This has been fixed.

Memory leak on dashboard fixed

A memory leak on the dashboard (view pages) was fixed, so that browser memory use will no longer grow unbounded.

Upgrading to Jenkins LTS 2.19.3

Expansion of the serialization blacklist

The major part of the security fix is an expansion of the serialization blacklist used for remoting (Jenkins CLI and master/agent communication) and XStream (XML configuration and data files).

It is possible that legitimate uses of classes in blacklisted packages will no longer work. This will be indicated by any of the following in exception messages in logs:

Rejected: com.sun.jndi.rmi.EvilClass
Refusing to unmarshal com.sun.jndi.rmi.EvilClass for security reasons
Refusing to marshal com.sun.jndi.rmi.EvilClass for security reasons

In these examples, com.sun.jndi.rmi.EvilClass is a placeholder for a real class name.

It is possible to customize the blacklist used by setting the hudson.remoting.ClassFilter.DEFAULTS_OVERRIDE_LOCATION System property for the Jenkins master java invocation. It is expected to be set to the path to a file containing a complete, custom blacklist overriding the default one.

The default blacklist is defined in ClassFilter.java in the remoting component. In a configuration file as used for hudson.remoting.ClassFilter.DEFAULTS_OVERRIDE_LOCATION, the default blacklist would look like this:

^bsh[.].*
^com[.]google[.]inject[.].*
^com[.]mchange[.]v2[.]c3p0[.].*
^com[.]sun[.]jndi[.].*
^com[.]sun[.]corba[.].*
^com[.]sun[.]javafx[.].*
^com[.]sun[.]org[.]apache[.]regex[.]internal[.].*
^java[.]awt[.].*
^java[.]rmi[.].*
^javax[.]management[.].*
^javax[.]naming[.].*
^javax[.]script[.].*
^javax[.]swing[.].*
^org[.]apache[.]commons[.]beanutils[.].*
^org[.]apache[.]commons[.]collections[.]functors[.].*
^org[.]apache[.]myfaces[.].*
^org[.]apache[.]wicket[.].*
.*org[.]apache[.]xalan.*
^org[.]codehaus[.]groovy[.]runtime[.].*
^org[.]hibernate[.].*
^org[.]python[.].*
^org[.]springframework[.](?!(\p{Alnum}+[.])*\p{Alnum}*Exception$).*
^sun[.]rmi[.].*

To check whether any given class name is blacklisted, run the following command in Manage Jenkins » Script Console, replacing com.sun.jndi.rmi.EvilClass with the class name you want to check:

hudson.remoting.ClassFilter.DEFAULT.isBlacklisted('com.sun.jndi.rmi.EvilClass')

Removing or relaxing entries on this blacklist must be done carefully as to not open yourself up to known exploits. A possible alternative could be to disable the CLI via HTTP and JNLP agent port (see below) to prevent its unauthenticated use.

Disabling the CLI

Another change in Jenkins 2.19.3 is the new feature to disable the CLI over HTTP and JNLP by setting the System property jenkins.CLI.disabled to true. This is a more convenient alternative to run the Groovy script provided as a workaround to SECURITY-218 and SECURITY-360 for users who do not want to allow unauthenticated access to the Jenkins CLI even with the security fix.

While the CLI can be used using the Jenkins integrated SSH daemon as well, this requires authentication, so it’s not a vector for unauthenticated attacks. To disable this feature as well, disable the SSH server port in Manage Jenkins » Configure Jenkins » SSH Server.

Upgrading to Jenkins LTS 2.19.2

Fixes to CLI over HTTP

CLI over HTTP (when the JNLP port is disabled) now works with CSRF protection enabled and does not need explicitly setting hudson.diyChunking. So any workarounds applied for previous versions of Jenkins to make the CLI work can now be reverted.

Upgrading to Jenkins LTS 2.19.1

Plugin dependency resolution fix

Previous versions allowed Jenkins to run with invalid plugin configurations. For example, plugins depending on other plugins were loaded even if those dependencies were outdated, or disabled. This could result in difficult to debug errors at run time.

Now, Jenkins will refuse to load plugins with unsatisfied dependencies. Diagnostic messages explaining this will be written to the Jenkins log during startup, and we strongly recommend monitoring that after upgrading.

Form autocompletion disabled

A long-standing problem with JavaScript-heavy configuration forms was that submitting a form, then using the web browser Back button to return to the form resulted in the wrong form contents. Submitting the form again would then result in unexpectedly broken configuration.

To work around this problem, we disabled autocompletion for almost all form fields.

Agent protocol selection in security configuration

The Configure Global Security form now includes options to enable/disable specific agent protocol versions, along with short descriptions of each protocol. There is no general guidance on when to customize the status of specific protocols, but it may be needed in the future.

Hiding the Java Web Start launcher

By default, new Jenkins 2 instances will have the JNLP agent port disabled. As this is a requirement for the JNLP Web Start launch method for build agents to work, this form option will now be hidden if the port is disabled. To make it show up, just enable the JNLP agent port in the Global Security Configuration.