This release fixes several issues:
- Delete obsolete pinning UI.
- Don't try to set Agent Port when it is enforced, breaking form submission.
- Use project-specific validation URL for SCM Trigger, so H is handled correctly in preview.
- Fix completely wrong Basque translation.
This release contains important security fixes:
- Use of AES ECB block cipher mode without IV for encrypting secrets (SECURITY-304 / CVE-2017-2598)
- Items could be created with same name as existing item (SECURITY-321 / CVE-2017-2599)
- Node monitor data could be viewed by low privilege users (SECURITY-343 / CVE-2017-2600)
- Possible cross-site scripting vulnerability in jQuery bundled with timeline widget (SECURITY-349 / CVE-2011-4969)
- Persisted cross-site scripting vulnerability in parameter names and descriptions (SECURITY-353 / CVE-2017-2601)
- Outdated jbcrypt version bundled with Jenkins (SECURITY-354 / CVE-2015-0886)
- Pipeline metadata files not blacklisted in agent-to-master security subsystem (SECURITY-358 / CVE-2017-2602)
- User data leak in disconnected agents' config.xml API (SECURITY-362 / CVE-2017-2603)
- Low privilege users were able to act on administrative monitors (SECURITY-371 / CVE-2017-2604)
- Re-key admin monitor leaves behind unencrypted credentials in upgraded installations (SECURITY-376 / CVE-2017-2605)
- Internal API allowed access to item names that should not be visible (SECURITY-380 / CVE-2017-2606)
- Persisted cross-site scripting vulnerability in console notes (SECURITY-382 / CVE-2017-2607)
- XStream remote code execution vulnerability (SECURITY-383 / CVE-2017-2608)
- Information disclosure vulnerability in search suggestions (SECURITY-385 / CVE-2017-2609)
- Persisted cross-site scripting vulnerability in search suggestions (SECURITY-388 / CVE-2017-2610)
- Insufficient permission check for periodic processes (SECURITY-389 / CVE-2017-2611)
- Low privilege users were able to override JDK download credentials (SECURITY-392 / CVE-2017-2612)
- User creation CSRF using GET by admins (SECURITY-406 / CVE-2017-2613)
* This release fixes an issue with the configureHost function. Now the function will check if Jenkins is properly deployed before try to configure the new host
* Jenkins 2.42 contains several enhancements and bug fixes. Notable changes from 2.39 include:
- IllegalStateException from Winstone when making certain requests with access logging enabled
- Restore option value for setting build result to unstable when loading shell and batch build steps from disk
- Autocomplete admin-only links in search suggestions only when admin
- Improve agent protocol descriptions
- Improve description for Enable Security option and administrative monitor when security is off
- Enable the JNLP4 agent protocol by default
- Support displaying of warnings from the Update Site in the Plugin Manager and in administrative monitors
- Do not print warnings about undefined parameters when hudson.model.ParametersAction.keepUndefinedParameters property is set to false
- Increase the JENKINS_HOME disk space threshold from 1Gb to 10Gb left. The warning will be shown only if more than 90% of the disk is utilized
- Plugin Manager: Redirect back to the Advanced Tab when saving the Update Site URL
- Prevent the ClassNotFoundException: javax.servlet.ServletException error when invoking shell tasks on remote agents
- Jobs were hanging during process termination on the Solaris 11 Intel platform
- Fix handling of the POST flag in ManagementLinks within the Manage Jenkins page
- Require POST in the Reload from disk management link
