Each section covers the upgrade from the previous LTS release, the section on 2.46.1 covers the upgrade from 2.32.3.
To address security concerns over the use of the remoting-based CLI, the new non-remoting implementation introduced in Jenkins 2.54 was backported to this release of Jenkins, and the remoting CLI mode deprecated.
Users upgrading from older releases of Jenkins will still have the remoting mode enabled. It is recommended to disable the remoting mode after adapting all uses of the Jenkins CLI to work over non-remoting protocols.
A previously downloaded
jenkins-cli.jar will continue working unless the remoting mode for the CLI is disabled.
A newly downloaded
jenkins-cli.jar now also supports the existing SSH mode, and the new HTTP mode for the CLI, and invocations need to pass the new argument
-remoting to use remoting mode.
This is necessary for some of the commands, typically operating on files or modifying the "current build".
More information about the new CLI implementation:
Due to a vulnerability discovered in the CLI authentication cache, existing cached authentications created before this release will no longer work, and users will need to run the
login CLI command again.
login CLI command is specific to the remoting mode of the CLI.
To fix a number of CSRF vulnerabilities, URLs of several operations have been changed to only work when receiving requests via POST, possibly requiring a CSRF crumb.
Most of these will not have been accessed via
GET, but a few might.
For example, if you have been accessing the URL
/quietDown directly before in your web browser, this will no longer work.
The JNLP4 protocol is now enabled by default for JNLP agent connections.
It’s more reliable than JNLP3, and also encrypted, making it the best choice for agent connections.
Use of this protocol may require upgrades of
slave.jar files on agents.