Upgrading to Jenkins LTS 2.32.x

Each section covers the upgrade from the previous LTS release, the section on 2.32.1 covers the upgrade from 2.19.4.

Upgrading to Jenkins LTS 2.32.3

Removal of X-You-Are-In-Group headers on "Permission denied" pages

"Permission denied" pages will no longer include HTTP headers listing all the groups the current user is a member of, as a large number of headers could in some cases result in reverse proxies errors.

Access URLs such as /whoAmI to get information about the currently logged in user and group memberships.

To restore the previous behavior, set the system property hudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS to true. This is not generally recommended.

Upgrading to Jenkins LTS 2.32.2

Console notes security fix

Console notes, the often bold or colored additions to build logs by plugins such as Timestamper or AnsiColor, that were created before you upgrade to Jenkins 2.43 or 2.32.2 will no longer be loaded for security reasons. To restore the previous (unsafe) behavior, set the system property hudson.console.ConsoleNote.INSECURE to true as described on this wiki page.

Maven projects in Maven Integration Plugin 2.14 and earlier that use Maven 3.0.x to build will create console notes that can no longer be read by Jenkins, therefore parts of their build output will not be colored/bold. This does not affect freestyle projects.

New encrypted secrets format

Encrypted secrets are no AES-128 CBC with random IV instead of AES-128 ECB without IV. Therefore the format of encrypted secrets has been changed. While existing secrets can still be read, saving configuration files will result in re-encryption of stored secrets in the new format. Repeatedly submitting the same form by clicking Apply after changing a password that is stored by Jenkins as a secret will now result in configuration files being changed.

Re-keying backup files removed

Re-keying, a process implemented for the Jenkins 1.480.2 security update, and performed only when upgrading Jenkins from versions 1.480.1 or 1.497 or earlier, left behind backup files with no restrictive file access permissions. On the first restart after applying the 2.32.2 update, Jenkins will remove these backup files, if present.

If you were relying on file system permissions to protect secrets stored in Jenkins, and are operating an instance that originally was running Jenkins 1.480.1 or 1.497 (or earlier), consider changing any secrets that were stored in Jenkins then.

If you are relying on file system permissions to protect secrets stored in your Jenkins home directory backups, it is recommended that you remove the directory JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups from all backups.

Remoting blacklist addition

The remoting blacklist of classes prohibited from being used in XStream and Java object serialization has been extended. These entries were added:

^javax[.]imageio[.].*
^java[.]util[.]ServiceLoader$
^java[.]net[.]URLClassLoader$

No legitimate use of these types is expected, but possible. Previous advice in the upgrade guide for Jenkins 2.19.3 still applies.

User creation via GET no longer possible

Jenkins administrators were able to create users by accessing the URL /user/example. Doing so would create (for this URL) a new user with the ID example, if it did not exist before.

While convenient, this constitutes a cross-site request forgery vulnerability, as Jenkins administrators may be tricked into creating hundreds of (not always ephemeral) users. Therefore this feature has been removed.

When using the internal Jenkins user database, new users can be created via Manage Jenkins » Manage Users instead.

To restore the previous (unsafe) behavior, set the system property hudson.model.User.allowUserCreationViaUrl to true as described on this wiki page.

Security warnings administrative monitor

Jenkins will now display warnings when installed components (plugins or core) have known security issues. These warnings are also shown in the plugin manager’s Available and Updates tabs to warn you before installing a vulnerable plugin, or updating to a vulnerable version. As these warnings are published by your configured update sites, they are generally updated once per day. Note that third party update sites may not support this functionality (yet).

Winstone-Jetty support for ad-hoc certificate creation on Java 8

The embedded Winstone-Jetty container now supports ad-hoc SSL certificate generation when run on Java 8.

However, this feature uses internal Oracle JRE APIs, so may break at any time in the future. Therefore it is still recommended that admins manually create self-signed certificates and use these instead.

Upgrading to Jenkins LTS 2.32.1

Remoting 3 upgrade

Remoting, the library handling the communication between Jenkins master and agents, got a major upgrade that introduced a new communication protocol (JNLP4).

With this upgrade comes a restriction on which Launcher implementations are allowed to connect. It is possible that some plugins (mostly cloud implementations) will fail to connect. If that happens, set the System property jenkins.slaves.DefaultJnlpSlaveReceiver.disableStrictVerification as a workaround.

java -Djenkins.slaves.DefaultJnlpSlaveReceiver.disableStrictVerification=true … -jar jenkins.war

Additionally, this is the first remoting release that requires Java 7. While agents have needed Java 7 for a while now, remoting is also used to communicate with the Maven process in the Maven project type in the Maven Integration Plugin. These builds now needs a JDK 7 or newer to run. Use toolchains to compile with an older version of Java.

Administrative monitors are now shown on most pages

Administrative monitors are the notifications only shown on the Manage Jenkins page so far. They are now also displayed to administrators on most other pages to increase visibility of important notifications.

To allow finer-grained control over which administrative monitors are shown, they can now be disabled and enabled in Configure Jenkins.

Please note that due to how it’s implemented, the Reverse Proxy Setup monitor will not be shown on every screen.