Page 2

• Security hardening: Jenkins LTS 2.107.1 switches XStream / Remoting blacklists to whitelists (JEP-200)

  This is a post about a major change in Jenkins, which is available starting from Jenkins 2.102 and Jenkins LTS 2.107.1. This is a change with a serious risk of regressions in plugins. If you are a Jenkins administrator, please read this blogpost and upgrade guidelines BEFORE upgrading. I would like to provide some heads-up about the JEP-200 change, which is included into the new Jenkins LTS 2.107.x...

  

  Oleg Nenashev March 15, 2018
• JEP-200: Remoting / XStream whitelist integrated into Jenkins core

  There is a newer version of the announcement for Jenkins administrators. Please see this blogpost. Overview JEP-200 has been integrated into Jenkins weekly builds and (if all goes well) will be a part of the next LTS line. In a nutshell, this change is a security hardening measure to be less permissive about deserializing Java classes defined in the Java Platform or libraries bundled with Jenkins. For...

  Jesse Glick January 13, 2018
• Remoting Update. Protocols deprecation, Java 8 requirement and plans

  Updated on Jan 10, 2019: The deprecated protocols were removed in Remoting 3.40+ and Jenkins 2.214+. See JENKINS-60381: Remove old for more information and links. There are upcoming changes in Jenkins "core" which may require extra steps when upgrading Jenkins. If you use configuration management for Jenkins agents, please read this announcement carefully. If you have ever seen messages like "Channel is already closed"...

  

  Oleg Nenashev August 11, 2017
• New, safer CLI in 2.54

  In response to the zero-day vulnerability we fixed in November, I wrote the following: Moving forward, the Jenkins security team is revisiting the design of the Jenkins CLI over the coming weeks to prevent this class of vulnerability in the future. If you are interested in participating in that discussion, please join in on the jenkinsci-dev@ mailing list. In early February, several project...

  Daniel Beck April 11, 2017