Changelog:
What's new in 1.565.3 (2014/10/01)
Plugin code can be downloaded by anyone with Overall/Read (SECURITY-155)
Stored passwords can be read out from build with parameters page (SECURITY-138)
Multiple cross-site scripting (XSS) vulnerabilities in ZeroClipboard.swf in ZeroClipboard before 1.3.2 as included with Jenkins (SECURITY-149)
Unauthenticated users can make Jenkins behind Apache unresponsive (SECURITY-87)
Users with limited Job/Configure can replace other jobs they have no access to (if they know the name) (SECURITY-128)
CLI calls are causing file descriptor leaks. (issue 23248)
Users with limited Job/Configure can change the kind of job via CLI, getting access to denied job types (SECURITY-127)
Test result trend breaks lazy-loading (issue 23945)
Unable to kill a job which is running (issue 17667)
XSS weakness in load-statistics (SECURITY-143)
Job is removed from ListView after rename (issue 23893)
set-build-result and set-build-parameter do insufficient checks (issue 24080)
Missing no-sniff header (SECURITY-122)
Directory traversal (SECURITY-131)
"incompatible InnerClasses attribute" error in IBM J9 VM (issue 22525)
Arbitrary file system write via DiskFileItem deserialization (SECURITY-159)
Missing SecureFlag cookie (SECURITY-120)
Prevent (private security realm) usernames from being guessed (SECURITY-79 redux!) (SECURITY-110)
Deadlock in OldDataMonitor (issue 24358)
RemoteInvocationHandler.RPCRequest allows invoking any method on an exported object event those not exposed by the exported interface (SECURITY-150)
What's new in 1.565.2 (2014/09/03)
Jenkins needs to check whether the war's directory is writeable before offering to upgrade (issue 23683)
AbstractLazyLoadRunMap.iterator() calls .all() (issue 18065)
Jenkins no longer kills running processes after job fails (issue 22641)
HTTP error 405 when trying to restart ssh host (issue 23094)
Run.delete (from LogRotator) failing with "...looks to have already been deleted" (issue 22395)
file name encoding broken in zip archives (issue 20663)
Kill win32 processes from win64 JVMs (issue 23410)
What's new in 1.565.1 (2014/07/30)
Queue.maintain does disk I/O via PeepholePermalink.resolve (issue 22822)
“Form too large” errors submitting view configurations with many jobs (issue 20327)
NPE on plugin install (issue 20031)
Link to the console output missing in popup when log >200Kb (issue 14264)
Parameters: NPE in canTake() procedures may kill all executors (issue 15094)
NPE from AbstractBuild$AbstractBuildExecution.run (issue 23277)
broken ProjectNamingStrategy Extension (issue 23127)
Move DecoratedLauncher from the custom-tools plugin to the Jenkins Core (issue 19454)
hudson.Launcher:ProcStarter::envs() may throw NPE (issue 20559)
Resource leak in hudson.model.FileParameterValue (issue 22693)
ReverseBuildTrigger.threshold not consistently saved (issue 23191)
AccessRestriction on SecurityListener methods (issue 23417)
After deleting folder, get 404 (issue 23375)
email-ext plugin doesn't handle tokens when slave has gone offline: IAE from AbstractProject.getEnvironment (issue 23517)
Jenkins cannot restart Windows service (issue 22685)
Rules for showing/hiding SCMTrigger.pollingThreadCount option are broken (issue 22934)
What's new in 1.554.3 (2014/06/30)
Queue.maintain does disk I/O via PeepholePermalink.resolve (issue 22822)
Non-recursive ListViews unnecessarily call owner.getAllItems in getItems (issue 22720)
SSH slave connections die after the slave outputs 4MB of stderr, usually during findbugs analysis (issue 22938)
Jenkins cannot restart Windows service (issue 22685)
What's new in 1.554.2 (2014/05/30)
Don't ask for confirmation when it doesn't make any sense (issue 21720)
On a configure screen that has multiple groups of radio buttons, clicking the apply button clears all but the last radio group selection (issue 22570)
Optimize creation of relative links to jobs (issue 18364)
Jenkins asks for confirmation before leaving edited 'View Configuration' page (issue 20597)
OutOfOrderBuildMonitor fails to correct builds with duplicate number (issue 22631)
Computer does not exist returns NPE (issue 21999)
Last build of project reloaded when project asked for later build (issue 22681)
After clicking 'Apply' at least once, 'Save' opens a new window (issue 20245)
hetero-radio should work with multiple instances of the same ui (issue 22583)
Cannot submit configuration after removing groovy step (issue 22582)
No autocompletion and NullPointerException when using 'Copy Existing Job' (issue 22142)
What's new in 1.554.1 (2014/04/30)
NPE if trying to install a plugin from the update center and either the update source or the plugin contains a '.' in its name (issue 22080)
Download update center from master by default (issue 19081)
OutOfMemory due to unbounded storage in OldDataMonitor (issue 19544)
Very slow resource loading from UberClassLoader (issue 21579)
Jetty exploding war to /tmp is a bad idea (issue 22442)
Performance issue with search box (issue 21969)
ArrayIndexOutOfBoundsException during Jenkins.doConfigSubmit; need XStream 1.4.6 (issue 18537)
NullPointerException when trying to mark slave temporarily offline (issue 21875)
Build queue is not filtered after progress updated (issue 20500)
copy-job permission checks wrong (issue 22262)
What's new in 1.532.3 (2014/04/11)
Replace description in error dialog instead of appending (issue 21457)
NPE from xstream.core.JVM.isOpenJDK (issue 21183)
WorkspaceCleanupThread does not handle folders (issue 21023)
Copy Artifact's fingerprinting creates second hudson.tasks.Fingerprinter_-FingerprintAction section with just the artifacts copied (issue 17606)
/login offers link to /opensearch.xml which anonymous users cannot retrieve (issue 21254)
Miscellaneous exceptions in config.xml can prevent entire job from loading (issue 21024)
Jobs named "." can be created, but not built, configured, accessed, ... (issue 21639)
DirectoryBrowserSupport.buildChildPaths does quadratic number of calls to check whether entries are directories (issue 21780)
ZIP file download generates corrupt zip file (issue 20345)
Update credentials plugin to 1.9.4 (issue 21820)
Apply button does not work in IE Compat View (issue 19826)
Deadlock while parallel deletion/rename of jobs (issue 19446)
What's new in 1.532.2 (2014/02/14)
CannotResolveClassException breaks loading of entire containing folder, not just one job (issue 20951)
Default markup formatter permits offsite-bound forms (SECURITY-88)
Using jenkins-cli connecting to HTTPS port fails due to hostname mismatch in certificate (issue 12629)
ApiTokenFilter does not check that the user actually exists (SECURITY-89)
HTTP two-way remoting does not work (jenkins-cli.jar without JNLP) (issue 20128)
Slave launcher fails after NoClassDefFoundError: Could not initialize class jenkins.model.Jenkins$MasterComputer (issue 19453)
StreamCorruptedException (issue 8856)
UI Redressing/ClickJacking (SECURITY-80)
Fail to run 'groovysh' in CLI due to insufficient permission (issue 17929)
Loading projects too slow because of File.isDirectory calls (issue 21078)
HTML metacharacters not escaped in log messages (issue 20800)
Channel's executorService's pool should have a name (issue 19004)
ListView.expand throws ClassCastException: … cannot be cast to hudson.model.TopLevelItem (issue 20415)
Stored XSS (SECURITY-74)
Session Fixation (SECURITY-75)
/heapDump offered to anyone with ADMINISTER (SECURITY-73)
Username Guessing/Enumeration (SECURITY-79)
RingBufferLogHandler throws ArrayIndexOutOfBoundsException after int-overflow (issue 9120)
Iframe Injection (SECURITY-76)
Reflected XSS in Cookie (SECURITY-77)
l:breakable mishandles HTML metacharacters (issue 20928)
Start JNLP slave ignores jar-cache flag (issue 20093)
Stored passwords can be read out from UIs with password fields (SECURITY-93)
Too many open files upon HTTP listener init or shutdown (issue 14336)
Extension point for secure users of Api (issue 16936)
'Apply' error screens don't work (issue 20772)
Workspaces seem to be removed prematurely on concurrent jobs (issue 10615)
Job creators are able to edit or destroy the system configuration via the CLI (SECURITY-108)
Disable\Delete "Remember me on this computer" check box in login screen (issue 15757)
SECURITY-55 fails if downstream project not visible (SECURITY-109)
Builds disappear some time after renaming job (issue 18678)
Use RunAction2 from TestResultAction (issue 18410)
java.lang.NoClassDefFoundError: sun/net/www/protocol/jar/JarURLConnection (issue 20163)
Remote code execution via xstream deserialization in XML API (SECURITY-105)
Jenkins on winstone vulnerable to session hijacking (SECURITY-106)
Jenkins allows anonymous access if the Authorization Strategy can't be loaded (SECURITY-107)
you cannot use the cli without giving Overall read to Anonymous (issue 8815)
Changelog:
What's new in 1.532.1 (2013/11/25)
Collecting findbugs analysis results occasionally causes ssh slave to go offline causing job to abort (issue 19619)
Bytecode compatibility transformer mistakenly corrupts org.apache.ivy.core.settings.IvySettings.triggers (issue 19383)
Functions.globalIota overflow (issue 20085)
Upgrade bundled versions of credentials, ssh-credentials and ssh-slaves plugins (issue 19945)
/me/my-views/editDescription may be used by any user to set global description (issue 18633)
Missing base directory in ZIP from .../artifact/dir/subdir/*zip*/subdir.zip (issue 19947)
After deleting last build, next build of last build is zombie (issue 19920)
Upgrade error to 1.531: PROXY_HEADER is null (issue 19613)
Upgrade bundled versions of credentials and ssh-slaves so we can assume available (issue 20071)
Collecting finbugs analysis results randomly fails with exception (issue 18879)
ViewJobFilter.filter expect "All jobs that are possible." but don't get recursive ones (issue 20143)
Download build artifacts as zip generates a corrupted file (issue 19752)
Jenkins redirecting from https to http (issue 10675)
java.io.IOException: Unexpected termination of the channel (issue 18836)
When installing a plugin and the needed dependencies have compatibility issues, warn the user (issue 19739)
Installing a plugin with optional dependencies doesn't upgrade the optional dependencies when needed (issue 19736)
After upgrade from 1.519 to 1.526 -> NumberFormatException occurs during maven 3 build (issue 19251)
What's new in 1.509.4 (2013/10/09)
Configurable loggers should capture messages on slaves (issue 18274)
@RequirePOST and similar should send a 405 (issue 16918)
Using jenkins-cli connecting to HTTPS port fails due to hostname mismatch in certificate (issue 12629)
[XStream] ConcurrentModificationException from DefaultConverterLookup (issue 18775)
@QueryParameter with @RelativePath broken (issue 18776)
fingerprint are truncated (issue 19515)
Environment variable replacement/resolving (issue 16660)
failed to archive slave artifacts. Unexpected end of ZLIB input stream (issue 19473)
winstone.ClientSocketException: Failed to write to client (issue 10524)
/log/all polluted with FINE* messages from other loggers (issue 18959)
Incorrect redirect after editing view with Unicode name (issue 18373)
Flyweight jobs and zero executors (issue 7291)
ERR_CONTENT_DECODING_FAILED on Custom Views with Project-based Matrix Authorization (issue 15437)
Buttons do not work in IE 11 (issue 19171)
CLI login command fails on Windows (issue 19192)
Problems with "Latest Test Result" and "Aggregated Test Result" links (issue 9637)
Exception while trigger downstream projects (issue 17247)
Maven 2 jobs fail (exception in MavenFingerprinter) (issue 18441)
Outdated JRuby libs (issue 14351)
Deadlock (issue 18589)
When copying folder, display names of contained jobs are gratuitously cleared (issue 18074)
Incorrect redirection after delete of job in folder in view (issue 17575)
Javadoc project action yields HTTP 404 (issue 19168)
Memory exhaustion parsing large test stdio from Surefire (issue 15382)
With lazy-build loading estimated build duration may become expensive (issue 18196)
Can't build using maven 3.1.0 (issue 15935)
Cannot create a custom logger matching any namespace (issue 17983)
Clean up fingerprint records that correspond to the deleted build recods (issue 18417)
"projects tied to slave" shows unrelated maven module jobs (issue 17451)
hudson.security.AccessDeniedException2: anonymous is missing the Administer permission (issue 15578)
”My Views" links leads to 404 Not Found (issue 17317)
Some jobs not loaded after jenkins restart: java.lang.NoSuchFieldError: triggers (issue 18677)
New lazy loading permalinks can break job.lastStableBuild != null => job.lastSuccessfulBuild != null (issue 18846)
Changelog:
What's new in 1.509.3 (2013/09/09)
Standalone install does not work with Apache + mod_proxy_ajp + SSL (issue 5753)
Reload configuration from disk no longer works after upgrade to Jenkins 1.512. (issue 17977)
Build Now link on MultiJob page doesn't work (issue 16974)
Add descriptions for custom tools (issue 18771)
Lazy loading causes massive delays after a period of inactivity when loading dashboard (issue 16023)
NPE running matrix job (issue 18024)
LastSuccessful and LastStable symlinks are invalid under Windows (issue 17681)
IllegalStateException from MavenProject.getParent can break MavenFingerprinter.recordParents (issue 17775)
NPE (isEmpty) from main.groovy (issue 15309)
DependencyClassLoader#getTransitiveDependencies returns disabled plugins (issue 18654)
parameter description don't use MarkupFormatter (issue 18427)
Incompatible signature change in 1.489: AbstractProject.doBuild (issue 18356)
Display Name is not shown (issue 17715)
Fingerprint throws exceptions on 1.518 (issue 18337)
FingerprintAction deserialization leads to NPE (issue 17125)
update view via REST API doesn't work (issue 17302)
MavenModuleSetBuild.getResult is expensive (issue 18895)
Builds disappear from jobs - hudson.util.IOException2: Invalid directory name - java.text.ParseException: Unparseable date: "39" (issue 15587)
Outdated JRuby libs (issue 14351)
Fingerprint performance (issue 16301)
10,000+ jobs tied to a label make Node index page unusably unresponsive (issue 18660)
"Delete Project" link fails with 403 Exception: No valid crumb was included in the request (issue 18032)
Manually uploaded plugins are incorrectly unpacked (issue 4543)
Decorated Launcher Does Not Maintain "isUnix" for RemoteLauncher (issue 18368)
Test harness packs copies of Maven into plugin archive (issue 18918)
All Maven 2 builds fail with java.lang.NoSuchMethodError DigestUtils.md5Hex (issue 18178)
Changelog:
What's new in 1.509.2 (2013/06/27)
Quoting Issue with JDK Installer with Windows Slave (issue 5408)
/about no longer shows third-party licenses (issue 17724)
Failed to instantiate class hudson.plugins.copyartifact.CopyArtifact (issue 17402)
ArrayIndexOutOfBoundsException from AbstractLazyLoadRunMap.search (issue 15652)
Dashboard web pages don't render correctly in Chrome because of bad cache/session (issue 17684)
NPE from MatrixConfiguration.newBuild (issue 17728)
Changelog:
What's new in 1.509.1 (2013/05/01)
FilePath.installIfNecessaryFrom routes download over remoting channel (issue 17330)
Add 'Are you sure' on Reload configuration from disk (issue 15340)
MavenAbstractArtifactRecord.doRedeploy should require POST (SECURITY-69)
Hover-over "Build Now" broken for parameterized jobs: "This page expects a form submission" (issue 17110)
XSS issue, where an internal attacker can cause a remote stylesheet to be loaded and containing scripts executed. (SECURITY-67)
CVE-2013-1808 stapler-adjunct-zeroclipboard: XSS via copying XSS payload into buffer (SECURITY-71)
Jenkins.doEval checks ADMINISTER rather than RUN_SCRIPTS; doScript CSRF (SECURITY-63)
Jenkins is no more WinXP compliant : CreateSymbolicLinkW is not available (issue 17343)
* Fix https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
Changelog:
What's new in 1.480.3 (2013/02/15)
"Remember me on this computer" does not work, cookie is not accepted in new session (issue 16278)
Slow/hung web UI in 1.483+ (stuck in parseURI) (issue 16474)
Failure to delete old config files during rekeying on Windows (issue 16319)
NoClassDefFoundError on Base64 when launching an headless slave with -jnlpCredential option (issue 9679)
Loading asynchPeople calls (synch) People constructor (issue 16397)
Jenkins briefly displays build queue and then it disappears until the page is reloaded (issue 15335)
View.hasPeople too slow to use in sidepanel.jelly (issue 16244)
XSS (SECURITY-46)
File parameter causing data lost after Jenkins restart (issue 13536)
Fix http://secunia.com/advisories/51712 .
Changelog:
What's new in 1.480.2 (2013/01/06)
The master key that was protecting all the sensitive data in $JENKINS_HOME was vulnerable. (SECURITY-49)
Changelog:
What's new in 1.480.1 (2012/11/17)
FilePath.validateAntFileMask too slow for /configure (issue 7214)
java.io.InvalidClassException (issue 14667)
Log recorders do not work reliably (issue 15226)
Invalid JSON is produced during remote api operations when a changeSet contains duplicate keys. (issue 13336)
Memory exhaustion parsing large test stdio from Surefire (issue 15382)
Fixed security vulnerabilities. (SECURITY-43,SECURITY-44,SECURITY-45)
* Fix two security bugs
Changelog:
Changes in 1.466.2 is unavailable.
What's new in 1.466.1 (2012/07/23)
A current active build in the build history is lost if the job configuration XML uploaded (issue 12318)
UnprotectedRootAction doesn't work for /github-webhook/ (issue 14113)
ERR_CONTENT_DECODING_FAILED returned on testResults and console output after Jenkins reload (issue 13625)
Cannot parse coverage results Premature end of file. (issue 11251)
Changelog:
What's new in 1.447.2 (2012/06/11)
Guice injector failure can cause failure of whole Jenkins (issue 13448)
Jenkins runs out of file descriptors (winstone problem) (issue 9882)
Parsing of POM happens before SNAPSHOT-Parents are updated (issue 8663)
Loading All Build History Fails (issue 13238)
Jenkins is an award-winning application that monitors executions
of repeated jobs, such as building a software project or jobs run
by cron. Among those things, current Jenkins focuses on the following
two jobs:
1. Building/testing software projects continuously, just like
CruiseControl or DamageControl. In a nutshell, Jenkins provides an
easy-to-use so-called continuous integration system, making it
easier for developers to integrate changes to the project, and
making it easier for users to obtain a fresh build. The automated,
continuous build increases the productivity.
2. Monitoring executions of externally-run jobs, such as cron jobs
and procmail jobs, even those that are run on a remote machine.
For example, with cron, all you receive is regular e-mails that
capture the output, and it is up to you to look at them diligently
and notice when it broke. Jenkins keeps those outputs and makes it
easy for you to notice when something is wrong.
This is Long-Term Support Release.
Tested on NetBSD/i386 5.99.58 with apache-tomcat7 and openjdk7.
