Page MenuHomePhabricator

Jenkins core security advisory 2024-04-17
Closed, ResolvedPublic

Description

The following Jenkins updates contain fixes for security vulnerabilities:

  • Jenkins 2.452
  • Jenkins LTS 2.440.3

Please see the advisory for more information:
https://www.jenkins.io/security/advisory/2024-04-17/

Event Timeline

The vulnerability affects the CLI client over SSH transport only. None of our CI and Release instances have their SSH server enabled, so we are not affected by the issue.

Do you still want me to import the latest LTS release (like for non-security fixes) or shall we skip this update entirely?

There are a few more changes, I guess they are trivial ones since they did not make it in the release notes.

$ git log --oneline jenkins-2.440.2..jenkins-2.440.3
a9b85dcfe2 (tag: jenkins-2.440.3) [maven-release-plugin] prepare release jenkins-2.440.3
ef340a4492 (tag: jenkins-2.440.3-rc) Merge pull request #9113 from krisstern/feat/stable-2.440/backporting-2.440.3
387f5a600b Backport bundled plugin updates
f25c5d061e Bump Mina to 2.12.1 in the CLI (#9089)
1dba772b27 Bump org.springframework.security:spring-security-bom from 5.8.10 to 5.8.11 (#9047)
2ca228aac4 Bump org.springframework:spring-framework-bom from 5.3.32 to 5.3.33 (#9042)
0c9eb0c814 [JENKINS-72799] Apply `SlaveComputer.decorate` also to `openLogFile` (#9009)
57cab7aeef [JENKINS-72796] stable context classloader for Computer.threadPoolForRemoting (#9012)
7aaedac817 Update bundled trilead-api to 2.84.86.vf9c960e9b_458 (#9022)
713e4761d9 [maven-release-plugin] prepare for next development iteration

I am fine skipping this update.

Marking as resolved as we have agreed to skip this release since we do not use the Jenkins CLI and have it disabled.