Page 4

• Security updates for Jenkins core

  We just released security updates to Jenkins, versions 2.133 and 2.121.2, that fix multiple security vulnerabilities. For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS upgrade guide. Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security....

  Daniel Beck July 18, 2018
• Security Hardening: New API token system in Jenkins 2.129+

  About API tokens Jenkins API tokens are an authentication mechanism that allows a tool (script, application, etc.) to impersonate a user without providing the actual password for use with the Jenkins API or CLI. This is especially useful when your security realm is based on a central directory, like Active Directory or LDAP, and you don’t want to store your password in scripts. Recent versions...

  

  Wadeck Follonier July 2, 2018
• Securing your Jenkins CI/CD Container Pipeline with Anchore (in under 10 minutes)

  (adapted from this blog post by Daniel Nurmi) As more and more Jenkins users ship docker containers, it is worth thinking about the security implications of this model, where the variance in software being included by developers has increased dramatically from previous models. Security implications in this context include what makes up the image, but also the components of the app...

  

  Michael Neale June 20, 2018
• Security updates for Jenkins core and plugins

  We just released security updates to Jenkins, versions 2.121 and 2.107.3, that fix multiple security vulnerabilities. Additionally, we announce previously published security issues and corresponding fixes in these plugins: Black Duck Hub Groovy Postbuild Gitlab Hook (fix unreleased) For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS...

  Daniel Beck May 9, 2018
• Security updates for Jenkins core

  We just released security updates to Jenkins, versions 2.116 and 2.107.2, that fix two security vulnerabilities. For an overview of what was fixed, see the security advisory. Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security....

  Daniel Beck April 11, 2018
• Jenkins community account password audit

  Last year, news of compromised passwords being used for accounts able to distribute NPM packages made the rounds. Their system looks similar to how publishing of plugins works in the Jenkins project: Accounts are protected by passwords chosen by users. Individual contributors have permission to release the components they maintain. The components they release are used by millions of developers around the world to...

  Daniel Beck March 19, 2018
• Security hardening: Jenkins LTS 2.107.1 switches XStream / Remoting blacklists to whitelists (JEP-200)

  This is a post about a major change in Jenkins, which is available starting from Jenkins 2.102 and Jenkins LTS 2.107.1. This is a change with a serious risk of regressions in plugins. If you are a Jenkins administrator, please read this blogpost and upgrade guidelines BEFORE upgrading. I would like to provide some heads-up about the JEP-200 change, which is included into the new Jenkins LTS 2.107.x...

  

  Oleg Nenashev March 15, 2018
• Security updates for Jenkins core

  We just released security updates to Jenkins, versions 2.107 and 2.89.4, that fix multiple security vulnerabilities. For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS upgrade guide. While the severity score works out as medium for all the vulnerabilities, we strongly recommend that anyone...

  Daniel Beck February 14, 2018
• Security updates for multiple Jenkins plugins

  Multiple Jenkins plugins received updates today that fix several security vulnerabilities. Android Lint CCM Credentials Binding JUnit Pipeline: Supporting APIs For an overview of these security fixes, see the security advisory. Subscribe to the jenkinsci-advisories mailing list to receive important future notifications related to Jenkins security....

  Daniel Beck February 5, 2018