Jenkins security release June 30th

[rvagg]

The Jenkins project plans to publish new Jenkins releases (weekly and LTS 2.289.2) on Wednesday, June 30. These updates will contain fixes for security issues present in current versions of Jenkins. The highest severity is "High". The security advisory will be issued at the same time to provide further information.

[rvagg]

Releases and advisory are out: https://www.jenkins.io/security/advisory/2021-06-30/

My judgement is that, while not trivial, these shouldn't be a major concern for our usage model and we can wait until after the security releases tomorrow to get an upgrade done. Happy to hear alternative views though.

[richardlau]

I've run apt-get update && apt dist-upgrade -y && apt-get autoremove -y on both ci.nodejs.org and ci-release.nodejs.org and both are now 2.289.2.

@rvagg How did you generate the list of updated plugins in e.g. https://github.com/nodejs/build/issues/2593? I haven't touched the plugin manager yet -- I'd like to be able to record what plugins were updated like in the previous issues.

[richardlau]

As per I've set the executors for the master/controller node to 0 on ci.nodejs.org.

We get the same warning on ci-release.nodejs.org but we are actually running iojs+release on the master node, so I've left it as-is for the moment.

[richardlau]

FWIW the new version of Jenkins includes https://github.com/jenkinsci/jenkins/pull/5065 so we have new icons, e.g.

[targos]

The new icons for running jobs are... interesting 😄

https://user-images.githubusercontent.com/2352663/124194301-9c911400-dac8-11eb-9e10-2591c098d534.mov

[rvagg]

@richardlau I just copy the text of the plugin manager page into my editor and do some munging until it ends up in a form I can post here .. usually involves a bit of manual work and it's a bit tedious but I reckon it's worth recording these version numbers in case we need to revert anything (which we've had to do in the past).

Have run upgrades now:

ci plugins

Not upgraded:

• PostBuildScript 3.0.0 <- 2.11.0

Upgraded:

• Bitbucket Branch Source 2.9.9 <- 2.9.8
• Bitbucket Pipeline for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Blue Ocean Core JS 1.25.0-alpha-1 <- 1.24.6
• Blue Ocean Pipeline Editor 1.25.0-alpha-1 <- 1.24.6
• Branch API 2.6.4 <- 2.6.3
• Command Agent Launcher 1.6 <- 1.5
• Common API for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Config API for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Config File Provider 3.8.0 <- 3.7.0
• Copy Artifact 1.46.1 <- 1.46
• Credentials 2.5 <- 2.3.18
• Credentials Binding 1.26 <- 1.24
• Dashboard for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Dashboard View 2.17 <- 2.15
• Design Language 1.25.0-alpha-1 <- 1.24.6
• Display URL API 2.3.5 <- 2.3.4
• Durable Task 1.37 <- 1.35
• ECharts API 5.1.2-2 <- 5.0.2-1
• Email Extension 2.83 <- 2.82
• Events API for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Font Awesome API 5.15.3-3 <- 5.15.2-2
• Git 4.7.2 <- 4.7.1
• Git client 3.7.2 <- 3.7.1
• Git Pipeline for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• GitHub Branch Source 2.11.1 <- 2.10.2
• GitHub Pipeline for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Groovy 2.4 <- 2.3
• HTTP Request 1.9.0 <- 1.8.27
• i18n for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Jira 3.5 <- 3.2.1
• JIRA Integration for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Job Configuration History 2.28 <- 2.27
• JUnit 1.51 <- 1.49
• JWT for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• LDAP 2.7 <- 2.5
• Lockable Resources 2.11 <- 2.10
• Matrix Authorization Strategy 2.6.7 <- 2.6.6
• Matrix Project 1.19 <- 1.18
• Maven Integration 3.12 <- 3.10
• Mercurial 2.15 <- 2.14
• Node and Label parameter 1.8.1 <- 1.8.0
• Parameterized Trigger 2.41 <- 2.40
• Personalization for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Pipeline Graph Analysis 1.11 <- 1.10
• Pipeline implementation for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Pipeline SCM API for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• Pipeline Utility Steps 2.8.0 <- 2.7.1
• Pipeline: API 2.46 <- 2.42
• Pipeline: Declarative 1.8.5 <- 1.8.4
• Pipeline: Declarative Extension Points API 1.8.5 <- 1.8.4
• Pipeline: Groovy 2.92 <- 2.90
• Pipeline: Job 2.41 <- 2.40
• Pipeline: Model API 1.8.5 <- 1.8.4
• Pipeline: Multibranch 2.26 <- 2.23
• Pipeline: Nodes and Processes 2.39 <- 2.38
• Pipeline: SCM Step 2.13 <- 2.12
• Pipeline: Shared Groovy Libraries 2.21 <- 2.18
• Pipeline: Stage Tags Metadata 1.8.5 <- 1.8.4
• Platform Labeler 878.v3d1d81b156bc <- 812.vb9d38b0660f9
• Plugin Utilities API 2.3.0 <- 2.1.0
• Pub-Sub "light" Bus 1.16 <- 1.13
• REST API for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• REST Implementation for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• SAML 2.0.7 <- 2.0.3
• Script Security 1.77 <- 1.76
• Snakeyaml API 1.29.1 <- 1.27.0
• SSH Agent 1.23 <- 1.22
• SSH Build Agents 1.32.0 <- 1.31.5
• SSH Credentials 1.19 <- 1.18.1
• Structs 1.23 <- 1.22
• Subversion 2.14.4 <- 2.14.0
• Text Finder 1.16 <- 1.15
• Throttle Concurrent Builds 2.3 <- 2.2
• Timestamper 1.13 <- 1.12
• Web for Blue Ocean 1.25.0-alpha-1 <- 1.24.6
• WMI Windows Agents 1.8 <- 1.7

ci-release plugins

Not upgraded:

• PostBuildScript 3.0.0 <- 2.11.0

Upgraded:

• AnsiColor 1.0.0 <- 0.7.5
• Branch API 2.6.4 <- 2.6.3
• Command Agent Launcher 1.6 <- 1.5
• Copy Artifact 1.46.1 <- 1.46
• Credentials 2.5 <- 2.3.18
• Credentials Binding 1.26 <- 1.24
• CVS 2.19 <- 2.18
• Display URL API 2.3.5 <- 2.3.4
• Durable Task 1.37 <- 1.35
• ECharts API 5.1.2-2 <- 5.0.2-1
• Font Awesome API 5.15.3-3 <- 5.15.2-2
• Git 4.7.2 <- 4.7.1
• Git client 3.7.2 <- 3.7.1
• GitHub Branch Source 2.11.1 <- 2.10.2
• Job Configuration History 2.28 <- 2.27
• JUnit 1.51 <- 1.49
• LDAP 2.7 <- 2.5
• Matrix Authorization Strategy 2.6.7 <- 2.6.6
• Matrix Project 1.19 <- 1.18
• Maven Integration 3.12 <- 3.10
• Parameterized Trigger 2.41 <- 2.40
• Pipeline: API 2.46 <- 2.42
• Pipeline: Groovy 2.92 <- 2.90
• Pipeline: Job 2.41 <- 2.40
• Pipeline: Multibranch 2.26 <- 2.23
• Pipeline: Nodes and Processes 2.39 <- 2.38
• Pipeline: SCM Step 2.13 <- 2.12
• Plugin Utilities API 2.3.0 <- 2.1.0
• PostBuildScript 3.0.0 <- 2.11.0
• SAML 2.0.7 <- 2.0.3
• Script Security 1.77 <- 1.76
• Snakeyaml API 1.29.1 <- 1.27.0
• SSH Agent 1.23 <- 1.22
• SSH Build Agents 1.32.0 <- 1.31.5
• SSH Credentials 1.19 <- 1.18.1
• Structs 1.23 <- 1.22
• Subversion 2.14.4 <- 2.14.0
• Text Finder 1.16 <- 1.15
• Throttle Concurrent Builds 2.3 <- 2.2
• Timestamper 1.13 <- 1.12
• WMI Windows Agents 1.8 <- 1.7

[rvagg]

that weird UI bug might be fixed by upgrading the CSS if someone wants to go to the skin site (url at bottom right) and copypaste in appropriate CSS, maybe they have an update for the new Jenkins

[richardlau]

I just copy the text of the plugin manager page into my editor and do some munging until it ends up in a form I can post here .. usually involves a bit of manual work and it's a bit tedious but I reckon it's worth recording these version numbers in case we need to revert anything (which we've had to do in the past).

Yeah, I agree that recording the numbers is useful which I why I asked. Manual it is then 🙂.

that weird UI bug might be fixed by upgrading the CSS if someone wants to go to the skin site (url at bottom right) and copypaste in appropriate CSS, maybe they have an update for the new Jenkins

• https://github.com/afonsof/jenkins-material-theme/issues/188
• https://github.com/afonsof/jenkins-material-theme/issues/183

I've applied the workaround in https://github.com/afonsof/jenkins-material-theme/issues/183#issuecomment-806518351 to hide the spinning animation.

[github-actions[bot]]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.