LTS Changelog

Changes since 2.479

Major bug fix

Migrate from http://updates.jenkins-ci.org to https://updates.jenkins.io if the initial installation version was 2.76 or older. JENKINS-73760

Bug fix

Restore compatibility with plugins calling Jenkins#doSafeRestart(StaplerRequest, String). JENKINS-73838
Restore compatibility with plugins contributing new views with custom XML, such as the Nested Views plugin. JENKINS-73801
Wrap long lines in the build history. JENKINS-73437
Prevent an old version of ASM from appearing as a managed dependency in plugin builds. JENKINS-73867
Update ASM to 9.7.1 to match the most recent release of the ASM API and Jenkins ASM API plugin. JENKINS-73917
Do not allow builds to be deleted while they are still building. Ensure build discarders only process builds which have fully completed. JENKINS-73835
Allow null to be passed as the first argument to doSafeRestart. pull 9882

Notable changes since 2.462.3

Major enhancement

Require Java 17 or newer. pull 9358, JENKINS-67907 , Java 17 requirement blog post
Upgrade Spring Framework from 5.3.39 to 6.1.14, upgrade Spring Security from 5.8.14 to 6.3.4, and upgrade Java EE from 8 to 9. Users of the LDAP plugin must upgrade to version 733.vd3700c27b_043 in combination with upgrading Jenkins core. Users of the Reverse Proxy Auth plugin must upgrade to version 1.8.0 in combination with upgrading Jenkins core and must also upgrade the Mailer plugin to version 489.vd4b_25144138f. Users of the CAS plugin must upgrade to version 1.7.0 in combination with upgrading Jenkins core. Users of the Windows Negotiate SSO plugin must upgrade to version 136.vda_2b_6a_744b_d8 in combination with upgrading Jenkins core. Users of third-party servlet containers must upgrade their servlet container to an EE 9 version in accordance with the Jenkins Servlet Container Support Policy. Spring Framework 6.0.23 release notes, Spring Framework 6.1.12 release notes, Spring Framework 6.1.13 release notes, Spring Framework 6.1.14 release notes, Spring Security 6.2.6 release notes, Spring Security 6.3.2 release notes, Spring Security 6.3.3 release notes, Spring Security 6.3.4 release notes, Jarkata EE 9 release page, LDAP plugin 733.vd3700c27b_043, Reverse Proxy Auth plugin 1.8.0, Mailer plugin 489.vd4b_25144138f, CAS plugin 1.7.0, Windows Negotiate SSO plugin 136.vda_2b_6a_744b_d8, Servlet Container Support Policy, pull 9672, JENKINS-73278
Upgrade Jetty from 10.0.24 to 12.0.12. pull 9590, JENKINS-73130 , Jetty 12.0.10 release notes, Jetty 12.0.11 release notes, Jetty 12.0.12 release notes
Allow all builds to be removed by the build discarder. JENKINS-68822
Remove Windows path traversal vulnerability escape hatch that was provided with the SECURITY-2481 fix.. pull 9387, JENKINS-73129 , Path traversal vulnerability on Windows - SECURITY-2481

Major bug fix

Fix download of .tar.gz artifacts in Firefox. JENKINS-73381

Enhancement

Enhancements and refinements for the appearance of several pages in Jenkins. pull 9521, pull 9707, pull 9461, pull 9411, pull 9393, pull 9381
Refinements and modernizations to sections of the Jenkins UI. pull 9453, pull 9380, pull 9365, pull 9395, pull 9641
User properties are now categorized in different pages. JENKINS-69869
Update the design of the build history widget. pull 9148
Use Notice component for views lacking jobs. pull 9724
Do not edit unrelated checkboxes in rowSelectionController. JENKINS-73669
Improve display of HTTP handshake errors (such as authentication issues) from the CLI in -webSocket mode. pull 9591
Use webSocket in the inbound agent command line sample. pull 9665
Allow plugins to customize the maximum number of suggestions in autocomplete text fields. pull 9616
Remove obsolete RekeySecretAdminMonitor. JENKINS-73597
Use makeButton to create a jenkins-button on the fly instead of using YUI. JENKINS-73563
Clarify that the plugin incompatibility message applies to the current plugin. JENKINS-73495
Add end of life dates for Alpine 3.20, Ubuntu 24.04, and Fedora 40. Correct several end of life dates, including CentOS 8. pull 9501
Avoid unnecessary download of bundled plugins during the setup wizard. pull 9476
Scroll fields from the added hetero-list entry into the viewport. pull 9488
Modernize the build time trend page with a "time since" column and a link to the console, and allow the table to be resized. Remove the agent column for the Pipeline build trend. pull 9465
When using ExitLifecycle, exit the process immediately upon a boot failure. Also allow custom lifecycles to exit immediately. pull 9483
Display the source URL in logs when installing a plugin. pull 9449
Allow some administrative monitors to be displayed for users with Overall/MANAGE permission. pull 9437
Increase the minimum required Remoting version from 4.13 to 3107.v665000b_51092. pull 9440
Update Stapler from 1880.vb_6d94a_3b_05db_ to 1881.vd39f3ee5c629 and Winstone-Jetty from 6.19 to 6.20 to let Jetty handle HTTP response compression. A new command-line option --compression can be used to disable compression if desired. pull 9379, Stapler 1881.vd39f3ee5c629 release notes, Winstone-Jetty 6.20 release notes
Remove idle executors from the Build Executor widget. pull 9177
The latency for bringing up offline agents can be improved using a new global config option Computer Retention Check Interval and setting an In demand delay of zero on the agents. JENKINS-14789

Bug fix

Several bug fixes for the Jenkins UI. pull 9695, JENKINS-73695 , pull 9667, pull 9654, JENKINS-73330 , pull 9649, pull 9625, pull 9658, JENKINS-73302
Restore compatibility with plugins contributing new objects with context menus, such as the Nested Views plugin. JENKINS-73785
Make deserialization of Map fields in XML files more robust. JENKINS-73687
Restore compatibility with the OpenId Connect Authentication and Reverse Proxy Authentication plugins. pull 9696
Validate display name only against items in the same ItemGroup. JENKINS-72988
Correct the styling for plugins that can't be disabled in plugin manager when user has system read permission. pull 9463
Refresh the build history widget in all cases, including on background tabs or hidden tabs. JENKINS-73613
Fix IndexOutOfBoundsException in cloud management pages when the controller has no executors. pull 9519, JENKINS-73554
Fix the hudson.slaves.SlaveComputer.allowUnsupportedRemotingVersions escape hatch, which was previously not working with inbound agents. JENKINS-73467

Security

Security fixes. security advisory

Major bug fix

No longer printing verbose and uninformative messages to $JENKINS_HOME/logs/tasks/Periodic background build discarder.log. JENKINS-73692

Enhancement

Upgrade Winstone from 6.18 to 6.22. Upgrade Jetty from 10.0.20 to 10.0.24. Winstone 6.19 release notes, Winstone 6.20 release notes, Winstone 6.21 release notes, Winstone 6.22 release notes, Jetty 10.0.21 release notes, Jetty 10.0.22 release notes, Jetty 10.0.23 release notes, Jetty 10.0.24 release notes, pull 9698, JENKINS-73743
Developer: Add ExtendedReadRedaction extension point to allow plugins to redact content from config.xml files served via API or CLI to users with Extended Read permission. SECURITY-3373

Bug fix

Fix the appearance of the Plugin Manager actions dropdown. JENKINS-73668
Add escape hatch for Authenticated user access to Resource URL. JENKINS-73422

Enhancement

Form validation now works for SecretTextArea fields. JENKINS-73404
Upgrade Spring Framework from 5.3.37 to 5.3.39. Spring Framework 5.3.38 and 5.3.39 include 8 fixes and improvements. Spring Framework 5.3.38, Spring Framework 5.3.39, JENKINS-73622
Upgrade Spring Security from 5.8.13 to 5.8.14. Spring Security 5.8.14 includes 2 fixes and several dependency updates. Spring Security 5.8.14, JENKINS-73648
Upgrade JUnit plugin to 1296.vb_f538b_c88630. Junit plugin 1296.vb_f538b_c88630 release notes

Bug fix

Change icon size in table when resizing the table. JENKINS-73453
Fix New Item page layout if no icon is defined for an item (regression in 2.453). JENKINS-73586

Changes since 2.462

Security

Important security fixes. security advisory

Enhancement

Upgrade Spring Security from 5.8.12 to 5.8.13. Spring Security 5.8.13 includes 19 fixes and improvements. Spring Security 5.8.13, pull 9398
Upgrade Spring Framework from 5.3.36 to 5.3.37. Spring Framework 5.3.37 includes 5 fixes and improvements. Spring Security 5.3.37, pull 9385
Upgrade bundled plugins. pull 9386, pull 9419, pull 9439, pull 9444, pull 9429, pull 9464

Notable changes since 2.452.4

Enhancement

Upgrade Commons FileUpload from 1.5 to 2.0.0-M2. Users of the SAML Single Sign On (SSO) (miniorange-saml-sp) plugin should upgrade to a compatible version in lockstep with upgrading Jenkins core. Users of the OpenText Application Automation Tools (hp-application-automation-tools-plugin) plugin should wait for a compatible version before upgrading Jenkins core. Apache Commons 2.0.0-M2 release notes
Refresh the 'New item' page. pull 9111
Move Add description to app bar. pull 9271
Add download option to Console output, move View as plain text and Copy buttons to app bar. pull 9169
Remove Disable project button from project view. pull 9287
Refresh the style of alerts. pull 9115
Improve the edit build information page. pull 9132
Avoid jumping layout due to tooltips. JENKINS-73158
Refine button appearances in sidebars, menus, pages and breadcrumbs. pull 9367
Adjust heading weights and sizes. pull 9366
Display how many users there are on the Users page. pull 9221
Improve the performance of JSON parsing. json-lib PR 30
Improve the performance of file compression and decompression. pull 9312
Improve startup performance when jobs have been created via REST API or command line interface. JENKINS-64356
Remove ASM dependencies from core. JENKINS-73046
The webappsDir argument to run Winstone with a directory full of WAR files has been removed without replacement. Winstone 6.19 changelog
Allow pipeline jobs to run when built-in node is offline. JENKINS-53958

Bug fix

Adjust side panel sizes for certain screens like iPad Pro. JENKINS-70246
Installed plugin view no longer jumps during first load. JENKINS-69588
Fix status icon animation display on Safari. JENKINS-72845
Remove tooltip when a widget is refreshed. JENKINS-72744
Honor readonly mode when displaying enumerations on pages. JENKINS-72854
After reconfiguring a static inbound agent in the GUI using fields such as WebSocket, deprecated in 2.440.x, the suggested launch instructions would incorrectly include tunnel (with no argument) even if that field had been left blank. JENKINS-73011
Fix the WorkspaceCleanupThread to consider workspaces with suffixes even if the original is nonexistent. Reduce the number of remoting calls made by WorkspaceCleanupThread. JENKINS-65829
Work around an upstream issue that could cause a hang in rare cases when two users load a configuration screen of the same type at the same time. JENKINS-60997
Handle svg cleanup via an xml document to avoid broken symbols. JENKINS-73156
Treat lines of text (mainly in build logs) as completed by a single carriage return in addition to a newline or carriage return plus newline, avoiding an out of memory error if a large number of such lines are printed in sequence. JENKINS-73090
Add new CSS classes to avoid conflicts with CSS classes from bootstrap. JENKINS-73114

Security

Important security fixes. security advisory

Major bug fix

Show help text in the correct locale even if user has an alternate language option defined in their browser (regression in 2.444). JENKINS-73246
Correctly highlight alerts (regression in 2.452.2). JENKINS-73301

Bug fix

Show correct build history panel even when a '$' character is included in a tooltip of the build history data. Quote replacement string in symbol tooltips. JENKINS-73243
Update bundled structs plugin to 338.v848422169819. Structs 338.v848422169819 release notes, SECURITY-3371

Major bug fix

Rename CloudSet query parameter type to cloudDescriptorName to avoid conflicts in cloud plugin implementations. JENKINS-72622

Enhancement

Update bundled Script Security plugin from 1335.vf07d9ce377a_e to 1336.vf33a_a_9863911. Script Security 1336.vf33a_a_9863911 release notes
Update bouncycastle API plugin from 2.30.1.77-225.v26ea_c9455fd9 to 2.30.1.78.1-233.vfdcdeb_0a_08a_a_. Bouncy Castle API plugin 2.30.1.78.1-233.vfdcdeb_0a_08a_a_ release notes

Bug fix

Add new CSS classes to avoid conflicts with CSS classes from bootstrap. JENKINS-73114
Fix width of weather icons in Safari when zoomed. JENKINS-73047
Consistently notify job listeners when the job definition is updated from the REST API or command line interface. JENKINS-64553

Changes since 2.452

Major bug fix

After reconfiguring a static inbound agent in the GUI using fields such as WebSocket (deprecated in 2.440.x), the suggested launch instructions would incorrectly include -tunnel (with no argument), even if that field had been left blank. JENKINS-73011

Bug fix

If the variant plugin is installed at the same time as a plugin that has an OptionalExtension, these extensions would not be correctly discovered until the next scan for new Extensions. JENKINS-72998

Enhancement

Upgrade Spring Framework BOM from 5.3.33 to 5.3.34. Spring Framework Bom 5.3.34 release notes

Notable changes since 2.440.3

Major enhancement

Remove the People view. Administrators can install the new People View plugin to restore this functionality. JENKINS-18884 , pull 9060, People View plugin
Add specific temporary files to the Debian package for better support of Unix domain sockets. Require Debian 10 and Ubuntu 20.04 as the minimum supported versions for Debian packages. pull 456 (packaging), Packaging issue 455
Allow recursive remote file copy even if the local and remote nodes have incompatible character sets at binary level such as ISO-8859-1 and CP-1047. JENKINS-72540

Enhancement

Modernize progress bar UI in various locations. JENKINS-69113
Add components for dropdown items. Refer to the new Design Library Dropdowns page for implementation details. pull 8827
Use the symbol for parameters in the build history of pending jobs. pull 8977
Add a "copy to clipboard" button to the build console output. pull 8960
Enable readonly mode for dropdown menus when using the Extended Read Permission plugin. pull 8955
Remove the extra margin when viewing in read only mode. pull 8938
Add a computer icon legend and a new icon for agents that are not accepting tasks. JENKINS-69191
Remove unused material icons. pull 8831
Localize the Appearance link and plain text Markup Formatter for Turkish. pull 9067, pull 9062
Make the Agent/Provision permission available in the global Security configuration when using matrix-based authorization strategies. JENKINS-72637
Do not configure an authenticator during proxy configuration via the GUI if the proxy username is blank. pull 8990
Add ability for custom update centers to override the suggested plugin list. pull 8951
Create an index page for heap dump creation. pull 8929
Non-Pipeline builds interrupted by a controller restart will now be marked as aborted rather than failed. pull 8986
Prevent authenticated access to Resource Root URL. JENKINS-72636
Update operating system end of life data for Amazon Linux, Alpine Linux, and Fedora Linux. pull 8864
Use jlink to reduce Java size on Windows as we've done previously for Java on Linux. pull 1848 (Docker)
Support Session ID for External Job Monitor to avoid HTTP 503 response. pull 8825

Bug fix

Do not attempt to self-restart on operating systems where this is not supported. JENKINS-72833
Fix a crash when restarting Jenkins on macOS. JENKINS-65911
Set the correct owner for Jenkins.clouds after Jenkins.load(). pull 8976
Improve locale parsing for loading of localised help files. JENKINS-72627
Support noCertificateCheck with webSocket on the CLI. JENKINS-72532
Show an error message in progressive logs on 4xx status codes. JENKINS-72509
Avoid a stack trace from ArtifactArchiver when no artifacts are found. JENKINS-71700
Restore performance displaying build artifacts when using remote artifact managers such as in S3. A security fix in 2.394 caused a substantial slowdown that is now resolved. pull 8874
Adjust heap dump file name for compatibility with OpenJDK file suffix requirements. JENKINS-72579
Fix build button rendering for Dashboard View plugin. pull 8854
Change focus in the new item page only if from has a valid job name. JENKINS-66530

Security

Security fix. security advisory

Bug fix

Ensure threads in the Computer.threadPoolForRemoting executor service always have the Jenkins webapp ClassLoader set as the context ClassLoader to prevent random class loading issues when code is running in this ExecutorService. JENKINS-72796
Customization of agent log files did not work for inbound agents. JENKINS-72799

Enhancement

Update Spring Security to 5.8.11. Update Spring Framework to 5.3.33. pull 9042, Spring Security 5.8.11 release notes, Spring Framework 5.3.33 release notes
Update bundled Trilead API Plugin to 2.84.86.vf9c960e9b_458. Trilead API 2.84.86.vf9c960e9b_458 release notes
Update Apache Mina in the CLI from 2.11.0 to 2.12.1. Mina 2.12.1 release notes
Upgrade bundled plugins. pull 8914, pull 8961, pull 8988, pull 9018, pull 9036, pull 9091, pull 9098, pull 9103

Security

Important security fix. security advisory

Enhancement

Upgrade Winstone from 6.16 to 6.18. Upgrade Jetty from 10.0.18 to 10.0.20. Winstone 6.17 changelog, Winstone 6.18 changelog, Jetty 10.0.19 changelog, Jetty 10.0.20 changelog
Do not show empty tooltips. JENKINS-71148

Bug fix

Restore progress animation in build history and build time trend views (regression in 2.434). JENKINS-72711

Changes since 2.440

Security

Important security fixes. security advisory

Major bug fix

Fix missing folder icons. JENKINS-72407

Bug fix

Update the bundled Matrix Project Plugin from 818.v7eb_e657db_924 to 822.824.v14451b_c0fd42. JENKINS-72603
Find selected radio option when validating instead of the last one used. JENKINS-72505

Notable changes since 2.426.3

Major enhancement

Add an Appearance category to the setup wizard. pull 8822
Add missing *_fr.properties in win32errors and hudson, lib, and Jenkins resources. Translate hudson/Messages.properties, hudson/model/Messages.properties, and jenkins/model/Messages.properties into French. pull 8594, pull 8595, pull 8578, pull 8577
Update to various UI elements. Style widget panes to match Jenkins. Modernize icons, controls, and fonts. pull 8802, pull 8780, pull 8761, pull 8689, pull 8740, pull 8693, pull 8705

Enhancement

Add telemetry for basic Java system properties describing the environment. pull 8787
Turkish localization fixes for build, login, and user management pages. pull 8631
Fix a minor memory leak in a Remoting log statement. Add forward proxy support for WebSocket. Support custom certificate options for WebSocket. pull 8643
Remove build timeline widget from the build history pages of views, jobs, and agents. JENKINS-60866
More consistently report errors launching outbound agents. pull 8675
Stop recommending JNLP URL in agent launch instructions. pull 8639
Deprecate all configurable options in Launch agent by connecting it to the controller (inbound in JCasC), as these are only useful in conjunction with the deprecated jnlpUrl mode. pull 8762
The jnlpUrl ${JENKINS_URL}/computer/${AGENT_NAME}/jenkinsagent.jnlp argument to the agent JAR has been deprecated. Use url ${JENKINS_URL} and name ${AGENT_NAME} instead, potentially also passing in webSocket, tunnel, and/or work directory options as needed. pull 8773
Removed deprecated and unused class UserProperties. pull 8679
Deactivate the administrative monitor when all previously offline agents are again online. JENKINS-72159
Prepare node monitors to work with configuration as code. JENKINS-64816
Rework node monitor configuration. JENKINS-72371
Allow configuration of disk thresholds globally and for each agent. Improve the warning when disk space is too low. Ensure agents are taken offline when disk space is low. JENKINS-72009
Fail fast when attempting to load a broken plugin that contains the Jenkins test harness in production. pull 8714
Add packaging support for Unix domain sockets. pull 442 (packaging)
Accept all 2xx and 3xx status codes to validate proxy in HTTP Proxy Configuration. JENKINS-72343
Ensure uptime is independent of system clock. JENKINS-72157
Show monitoring data on agent page. pull 8725
Use a notification and Jenkins modal for 'Apply' button failures. pull 8394
BootFailure subclasses can now override the Jenkins startup failure page. pull 8442
Reduce the window of time during which a crash may lead to an inconsistent state on Linux. pull 8815

Bug fix

Restore printing output from println and similar methods for the groovy CLI command (regression in 2.427). JENKINS-72181
Refer to the correct option in the security configuration help text. JENKINS-72222
Restore security configuration help text and remove obsolete help text. pull 8630
Some agent-related objects could be kept in memory after being disconnected and removed from the computer list. pull 8640
Avoid incorrect styling when deleting the first of two shell steps in a job definition. JENKINS-72196
Prevent a deadlock that can occur when loading PermalinkProjectAction.Permalink. pull 8736
Display strings consistently in the requested language when running Jenkins in a JVM with a non-english locale. JENKINS-72449
Fix nested job link in mobile view. JENKINS-72288
Do not show option to copy items when there are no items visible. JENKINS-72443
Display correct time zone in build history. JENKINS-71965
The tunnel property on an inbound agent was inadvertently broken for JCasC usage in 2.437. It remains deprecated and usages should be deleted (regression in 2.437). pull 8793
Fix SimpleScheduledRetentionStrategy on inbound agents. Allow suspended inbound agents to again accept tasks when they are reconnected and the configured scheduling policy is enabled. JENKINS-72370
Remove code that may have caused an agent-side hang under a rare race condition. Remoting PR 713
Reduce the likelihood of thread creation errors on agents. Remoting PR 717

Security

Important security fixes. security advisory

Bug fix

Avoid repeated tool downloads from misconfigured HTTP servers. JENKINS-72469
Fix redirect when renaming a cloud. JENKINS-71737

Enhancement

Warn users at 12 months prior to end of Java support and again at 3 months prior to end of Java support. pull 8661

Bug fix

Add support for Unix Domain Sockets. Upgrade Winstone from 6.14 to 6.16. Upgrade Jetty from 10.0.17 to 10.0.18. Winstone 6.15 changelog, Winstone 6.16 changelog, Jetty 10.0.18 changelog

Short container image tags (without "jdk" in them) such as jenkins/jenkins:2.426.1 are now using Java 17. If you need to continue using Java 11, use tags like jenkins/jenkins:2.426.1-jdk11. The Windows container images of this release switch from a windowsservercore-1809 Temurin base image to a windowsservercore-ltsc2019 Microsoft base image. Note also that a proper set of tags is now published for these Windows images and they include "ltsc2019" instead of only "2019".

Changes since 2.426

Major bug fix

Show form validation results for form elements that are initially hidden. Remove previous form validation errors when the form validation is updated with new content (regression in 2.355). JENKINS-71252 , JENKINS-70793
Fix multibranch Pipeline Add source and other uses that mix inputs and buttons (regression in 2.422). JENKINS-72170
Add sleep call when -noReconnect is not specified for Kubernetes agents. Remoting PR 675
Add proxy support for Remoting. JENKINS-65368
Fix agent allocation due to label issue detected by vSphere Cloud plugin (regression in 2.421). JENKINS-71937
Fix drag and drop handle for existing repeatables (regression in 2.335). JENKINS-72189

Enhancement

Add telemetry for Jenkins uptime. JENKINS-72248

Bug fix

Show the description of boolean build parameter values on the Parameters view (regression in 2.179). JENKINS-72179
Allow clouds to be reordered. This was previously possible, but disappeared when the cloud management was moved to a separate page (regression in 2.403). JENKINS-72020
Update SnakeYAML plugin to 2.2 to silence security scanners. JENKINS-70994

Notable changes since 2.414.3

Major enhancement

Support Java 21 in addition to Java 11 and Java 17. JENKINS-71800 , Java 21 supported in 2.426.1
Remove outdated Prototype.js library. JENKINS-70906 , pull 7781, Prototype removal blog post
Stop delivering CentOS 7 container images as part of the end of support for Red Hat Enterprise Linux 7 and its derivatives. Red Hat Enterprise Linux 7 and CentOS 7 end of life blog post, Docker pull request 1777
Replace browser confirm with modal dialogs in many places. Add API for alert, confirm, prompt, modal and form dialogs. JENKINS-71438
Updates to various UI elements. Modernize buttons, menus, link design, and content blocks. pull 8381, pull 8376, pull 8375, pull 8363, pull 8180
Add Appearance system configuration page to customize Jenkins' look and feel. pull 8403
Various performance optimizations. Optimizations for loading, label parsing, and project deletion. pull 8494, pull 8395, pull 8299

Major bug fix

Prevent incorrect readResolve implementations from breaking agent label parsing. pull 8448

Enhancement

Automate the display of an administrative monitor when approaching Java end of life (EOL) dates. pull 8526
Remove System V initialization scripts from RPM based installers. The System V initialization scripts were replaced in March 2022 with systemd initialization. RPM users with a custom log directory no longer have a logrotate(8) configuration out-of-the-box. pull 409 (packaging), Linux install packages migrated from System V init to systemd
Add a nicer 404 error page. JENKINS-71087
The minimum required Remoting version has been increased from 4.7 to 4.13. pull 8503
List plugins in deterministic order to improve diagnosability of plugin linkage errors. JENKINS-71950
Display a notice when plugin updates are available or when there are no plugins installed. pull 8208
Remove the treeview option for artifactList. JENKINS-71054
Log agent usage by job. pull 8283
Make tab panes accessible via keyboard. JENKINS-71496
Add allow-same-origin to the sandbox ContentSecurityPolicy directive of workspace and artifact browsers if the Resource Root URL feature is not used. Allow requests to resources like stylesheets and images, even if a reverse proxy prohibits cross-site requests. JENKINS-71366
Updates to Turkish localization for jobs. pull 8368
Remove the rebuild plugin from the setup wizard plugin selection. pull 8258
Stop shipping net.sf.kxml:kxml2 because Jenkins no longer depends on it. pull 8503

Bug fix

Prevent log spam when using the Jenkins security database and users signup. pull 8474
Show a confirmation popup when triggering a task action from a context menu. JENKINS-71880
Hide the delete button from the only repeatable element in configuration forms when at least one element is expected. JENKINS-72018
Symbols display in breadcrumbs now. JENKINS-71983
Message no longer appears twice when the agentLog option is used. JENKINS-38520
Hide administrative monitors icons/popup in the header of Manage Jenkins, as they're shown directly on the page. JENKINS-71848
Fix link to job in the message informing administrators of trigger computations that run for an unusually long time. JENKINS-71833
Use standard size node icon even with long node names. pull 8089
Add the X-Content-Type-Options HTTP header to the response from the agent listener. Silence security scanners that incorrectly report an issue when the HTTP header is missing. JENKINS-71186
Estimate project duration accurately in more cases. pull 8233

Short tags (without "jdk" in them) such as jenkins/jenkins:2.414.3-alpine are using Java 17 and not Java 11 like previously. If you need to keep using Java 11, use tags like jenkins/jenkins:2.414.3-jdk11. Also note that two new tags (2.414.3-alpine-jdk17 & 2.414.3-slim-jdk17) have been published without any content change a week later than the original ones.

Security

Important security fix. security advisory

Major enhancement

Use Java 17 as the default Java version in container images that do not specify a Java version in the container label. Docker pull request 1724
Update commons-compress from 1.23.0 to 1.24.0. Apache Commons Compress 1.24.0 Release Notes

Major bug fix

Do not create a large number of threads when making numerous HTTP requests. JENKINS-72016
Reduce high memory usage from XStream2.AssociatedConverterImpl (regression in 2.405). JENKINS-72076

Enhancement

Add telemetry collecting basic information about the security configuration. JENKINS-71996
Upgrade Winstone from 6.12 to 6.14. This includes the upgrade of Jetty from 10.0.15 to 10.0.17. The Jetty upgrade includes fixes for several CVEs. Winstone 6.13 changelog, Winstone 6.14 changelog, Jetty 10.0.16 changelog, Jetty 10.0.17 changelog, CVE-2023-44487

Bug fix

Restore context menus of model links in build history views and administrative monitors (regression in 2.402). JENKINS-71890

Security

Important security fixes. security advisory

Major enhancement

Add allow-same-origin to the sandbox Content-Security-Policy directive of workspace and artifact browsers if the Resource Root URL feature is not used. Allow requests to resources like stylesheets and images, even if a reverse proxy prohibits cross-site requests. JENKINS-71366

Major bug fix

The plain text console log will still be printed even if some console annotations are corrupt. JENKINS-61452

Bug fix

New login page breaks login-theme-plugin (regression in 2.404). JENKINS-71238
Fix invalid CSS which caused some buttons to become invisible on hover (regression in 2.402). JENKINS-71238

Changes since 2.414

Security

Important security fix. 2023-07-26 security advisory

Major enhancement

Update Debian images to version 12.0 (bookworm). Docker pull request 1687

Enhancement

Add last build status to job page. pull 8129

Bug fix

Remove rebuilder plugin from the setup wizard plugin selection. JENKINS-71630
Only disable the plugin manager "install" button if no plugins are selected (regression in 2.414). JENKINS-71698

Notable changes since 2.401.3

Major enhancement

Update to various UI elements. Update appearance and framework for dropdown links. Modernize forms and pages. pull 8210, pull 8179, pull 8076, pull 8025, pull 7989, pull 8015, pull 7962, pull 7716, pull 7836, JENKINS-70805 , pull 7891, JENKINS-71160 , pull 7870, JENKINS-71115 , pull 7887, JENKINS-71152 , pull 7420, JENKINS-70115 , pull 7922, JENKINS-71177 , pull 7770
Update UI and function of Log Recorder. Display a notice when there are no logs available. pull 8186, pull 8164
Allow cancelling the quiet down mode of a safe restart with an optional custom message for safe restarts (with new default message). Use a less dangerous color for the safeRestart banner. Allow setting the full prepareShutdown message instead of only the reason. Show a hint on the "Jenkins Unavailable" page about safe restarts. JENKINS-70059

Major bug fix

Prefix the name of input elements of ListView to prevent form submission issues when an Item (job) is named elements. JENKINS-71200

Enhancement

Use dialogs to delete computers, views, clouds, users and log recorders instead of dedicated pages. JENKINS-13545
Improve Content Security Policy compatibility. JENKINS-71034 , JENKINS-71035 , JENKINS-71036 , JENKINS-71037 , pull 8054, JENKINS-71042 , JENKINS-71044 , JENKINS-71045 , pull 8039, JENKINS-71040 , JENKINS-71041
Upgrade Winstone from 6.10 to 6.12. This includes the upgrade of Jetty from 10.0.13 to 10.0.15. Add or update MIME types for JavaScript files, JavaScript module files, AV1 Image File (AVIF) files, Web Open Font Format (WOFF) files, and WebAssembly files. Winstone 6.11 changelog, Winstone 6.12 changelog, Jetty 10.0.14 changelog, Jetty 10.0.15 changelog
Update to sign-in page on desktop and mobile. Remove animations and modernize page. pull 7995, JENKINS-71246 , pull 7872
Update to Builds widget UI. JENKINS-70220 , pull 7870, JENKINS-71115
Rework clouds management into multiple pages to better scale to large numbers of clouds. Users of EC2 Plugin should update it to version 2.0.7 or newer for compatibility. JENKINS-70729
Add Japanese translation of Apply. pull 8140
Switch the double-launch checker to a regular administrative monitor. pull 8127
Add support for jakarta.inject annotations. pull 8065
Reduce the circumstances under which recent old builds will be loaded when starting new builds. pull 7998
Refinements to class loading behavior looking up special formatters for XML configuration files. pull 7976
Add a user experimental flag to run Jenkins without Prototype.js. Plugin authors should enable this flag and fix any issues that result from the removal of Prototype.js. In the future Prototype.js will be removed from Jenkins core. pull 7948
Make "Skip to content" link visible through keyboard navigation. pull 7956

Bug fix

Fix update center proxy configuration hyperlink in error messages. JENKINS-71244
Fix support of clouds without a config.jelly file. pull 7972

Security

Important security fix. security advisory

Bug fix

Remove incorrect text from JENKINS_HOME help. pull 8161

Major enhancement

Warn administrators when their Linux operating system is approaching end of life. pull 7913, pull 8082, JENKINS-71428 , End of life operating systems

Enhancement

Upgrade from Guice 5 to 6. Guice 6.0.0 changelog, pull 8121

Changes since 2.401

Security

Important security fix. 2023-06-14 security advisory

Bug fix

Fix the writing of emojis to XML (regression in 2.403). JENKINS-71182
Do not write NUL values to XML files. A technically illegal #x0 (NUL) could be written to Jenkins XML files but could no longer be read. Now the write will fail as well (regression in 2.398). JENKINS-71139
Remove "undefined" trailing text from system dropdown menu. JENKINS-71345
Fix the warning icon in the workspaces temporary directory message. JENKINS-71160
Show full width filter field for builds on pages less than 970 pixels wide. JENKINS-71115

Notable changes since 2.387.3

Enhancement

Simplify the names of the settings in Manage Jenkins. pull 7661
Use a card layout instead of a table for the dashboard on mobile. pull 7581
Refresh the Build with Parameters interface. pull 7748
Revamp icon legend as a modal. pull 7718
Refresh the design of the About Jenkins page. pull 7712
Running pipeline build logs can now be displayed across controller restarts without reloading in some environments. pull 7614
Introduce user experimental flags. JENKINS-69853
Add a copy button for the code snippets that start agents and for the Jenkins home directory. Warn user that copy button requires HTTPS. pull 7625, pull 7678, pull 7665, JENKINS-21052
The default connection mode for the Java CLI client is now webSocket. You can specify http to continue to use the former default (for example because you are running Jenkins in a servlet container other than the recommended builtin Jetty, or because you are running an unusual reverse proxy which does not support WebSocket). You can also continue to specify ssh to use SSH transport (for example because you prefer to authenticate with a private key rather than an API token), or use a native SSH client. pull 7605
Simplify loading of JavaScript and CSS. Users of OWASP DependencyTrack must upgrade to 4.3.1 or later, and users of ServiceNow CI/CD must upgrade to 2.1 or later. pull 7827
Upgrade Spring Framework from 5.3.26 to 5.3.27. Spring Framework 5.3.27 release notes
Upgrade bundled Winstone from 6.7 to 6.10. Add the excludeProtocols option. Improve logging during shutdown. pull 7632, Winstone 6.10 changelog, Winstone 6.9 changelog, Winstone 6.8 changelog

Bug fix

Fix null pointer exception on the "Manage Jenkins" page when HTTP/2 is enabled. JENKINS-70630
Hide the Restart Jenkins checkbox in the update center if the controller doesn't support it. JENKINS-69489
Move set node temporarily offline/online buttons to appbar. JENKINS-70394

Bug fix

Restore New Node button in computer overview for users with node creation permission. JENKINS-70820
Fix Delete Build button text overflow. JENKINS-70809
Hide Restart Jenkins checkbox in the update center if the controller doesn't support it. JENKINS-69489
Support emojis in Job DSL scripts. JENKINS-69129

Major bug fix

Adjust WebSocket idle timeout to 60 seconds by default, to avoid "WebSocketTimeoutException: Connection Idle Timeout" issues. JENKINS-69955

Bug fix

Restore the redirect destination of the pluginManager/installNecessaryPlugins API endpoint. JENKINS-70599
Update bundled plugins to include fixes announced in 2023-01-24 and 2023-02-15 Jenkins security advisories. Jenkins Security Advisory 2023-01-24, Jenkins Security Advisory 2023-02-15

Enhancement

Sign WAR file and Windows installer with new code signing certificate. pull 358

Changes since 2.387

Security

Important security fixes. security advisory

Major bug fix

Move 'set node temporarily offline/online' buttons to app-bar to make them clickable again (regression in 2.385). JENKINS-70394
Allow WebSocket agent connections to time out after 5m if a write never succeeds. JENKINS-70531
Fix the TcpSlaveAgentListenerRescheduler functionality. TcpSlaveAgentListener is automatically restarted on failure. JENKINS-70334

Bug fix

Add script-security update to LTS baseline. JENKINS-70487
Do not submit empty telemetry data if an error occurred during data collection. JENKINS-70533
Update bundled Apache Mina SSHD API plugins from 2.9.1-44.v476733c11f82 to 2.9.2-50.va_0e1f42659a_a. CVE-2022-45047

Enhancement

Limit the maximum number of search results.

Notable changes since 2.375.3

Major enhancement

Update to various UI elements. Modernize table display, page layout, and buttons. pull 6843, pull 6995, JENKINS-69339 , pull 7373, pull 7452, pull 7173, JENKINS-70128 , pull 7556, JENKINS-70112 , pull 7555, pull 7475, JENKINS-70209 , pull 7425, JENKINS-70117 , pull 7597, JENKINS-70240 , pull 7314, pull 7203, pull 7171, pull 7364, JENKINS-69517 , pull 7366, pull 7364, pull 7229, JENKINS-69715 , pull 7352, pull 7367, pull 7368, pull 7399, JENKINS-70036 , pull 7427, JENKINS-70121 , pull 6511
Add missing breadcrumb items in various locations. pull 6912, pull 7487, pull 7488, pull 7489, pull 7490, pull 7491, pull 7492, pull 7493, pull 7494, pull 7495, pull 7496
Update ANTLR2 grammars and code to ANTLR4. pull 7293
Update Spring Security from 5.7.4 to 5.8.0. This update includes several fixes and improvements. Spring Security 5.7.5 release notes, Spring Security 5.8.0 release notes, CVE-2022-31690, CVE-2022-31692
Set default file size rotation of AsyncPeriodicWork / AsyncAperiodicWork task logs to 10MB. JENKINS-64151
Update appearance of tooltips and replace old library with Tippy.js. pull 6408

Major bug fix

Several fixes and improvements for Websocket agents. JENKINS-70105 , pull 7309

Enhancement

The minimum required Remoting version has been increased to 4.7 (released on February 16, 2021). pull 7340
Add telemetry related to distributed builds. JENKINS-70199
Add telemetry for activation of permissions that are not enabled by default. JENKINS-70044
Remove the notice in the plugin manager Updates tab about newer plugin versions not compatible with your current core version. Limit the display of updates to plugin versions actually being offered by the update center for your core version. JENKINS-62332
Show recommended actions, such as "update affected plugins", in security warnings popup. pull 7046
Jenkins no longer bundles a patched version of the deprecated Commons HttpClient 3.x library for use by plugins. Plugins should be migrated to the native Java 11 HTTP client or updated to depend on the legacy Commons HttpClient 3.x API plugin. Commons HTTP Client, Apache HTTP Client
Remove the deprecated Multijob plugin from the setup wizard. pull 7413
Remove the deprecated WMI Windows Agents plugin from the setup wizard. pull 7414
Do not report implied dependencies for WMI Windows Agents plugin. JENKINS-70301
Avoid unnecessary configuration save when reloading configuration from disk. pull 7305
Robustness improvement regarding build number collisions. JENKINS-23152
Remove support for log rotation via SIGALRM. The command-line argument --daemon has been removed. pull 7256
Upgrade XStream from 1.4.19 to 1.4.20. This maintenance release addresses the security vulnerabilities CVE-2022-40151 and CVE-2022-41966, causing a Denial of Service by raising a stack overflow. It also provides new converters for Optional and Atomic types. XStream 1.4.20 release notes, CVE-2022-40151, CVE-2022-41966
Upgrade Guice from 5.0.1 to 5.1.0. Guice 5.1.0 contains eight fixes and improvements. Guice 5.1.0 release notes
Upgrade Spring Framework from 5.3.23 to 5.3.24. Spring Framework 5.3.24 release notes

Bug fix

Improve tooltip performance. JENKINS-70178
Fix the update of disabled plugins. JENKINS-69183
Close connection on the agent if the agent's liveness ping receives no response. JENKINS-70414
Delay initialization of cryptography needed for TCP inbound agents unless and until such an agent is connected. pull 7514
Delete .disabled files when uninstalling a plugin. JENKINS-68194
Fix a race condition affecting the launch of inbound agents. pull 7378

Security

Important security fixes. security advisory

Enhancement

Limit the maximum number of search results.

Bug fix

Resolve implied dependencies on WMI Windows Agent plugin. JENKINS-70301
Prevent Angry Jenkins when checking a non http(s) based update center URL. JENKINS-70240
Remove negative letter-spacing to improve legibility in some languages and fonts (regression in 2.340 + 2.350). JENKINS-70209
Restore link to last breadcrumb in Console view. JENKINS-70169

Enhancement

Add telemetry related to distributed builds. JENKINS-70199

Major bug fix

Wait for 10 seconds before attempting to reconnect a WebSocket agent, regardless of whether or not the controller is responding. Slow down websocket re-connect
Memory leak when repeatedly connecting WebSocket agents. JENKINS-70103

Bug fix

Updated bundled Script Security plugin from 1189.vb_a_b_7c8fd5fde to 1190.v65867a_a_47126. Updated JUnit plugin from 1156.vcf492e95a_a_b_0 to 1160.vf1f01a_a_ea_b_7f. Jenkins Security Advisory 2022-11-15
Fix console-view bouncing when new entries appear. JENKINS-69587

Changes since 2.375

Major bug fix

Prevent potential deadlocks on websocket agents. JENKINS-69890
Fix Gravatar error on profile page (regression in 2.335). JENKINS-70023

Enhancement

Add telemetry for activation of permissions that are not enabled by default. JENKINS-70044

Notable changes since 2.361.4

Major enhancement

Update to various UI elements. Modernize icons, navigation, and buttons. JENKINS-65124 , pull 6728, pull 6924, pull 6956, pull 6907, pull 7052, pull 7098, pull 7074, pull 7185, pull 6886, JENKINS-69032 , pull 7183, pull 7182, pull 7217, pull 7216, pull 7205, JENKINS-69714 , pull 7197
Improve breadcrumb bar accessibility. pull 6912
Update the design of notifications. pull 7049
Update the weather and status icons. JENKINS-65124

Major bug fix

Prevent a stack overflow when loading a queue (regression in 2.361). JENKINS-69850

Enhancement

Winstone 6.6: Upgrade Jetty from 10.0.11 to 10.0.12. Remove support for OpenSSL-style PEM-encoded RSA private keys when running Jenkins with the embedded Jetty (Winstone) container and TLS. The flags --httpsPrivateKey and --httpsCertificate have been removed. The flags --ajp13Port and --ajp13ListenAddress have been removed. The flags --handlerCountMax and --handlerCountMaxIdle have been removed. The flags --toolsJar and --useJasper have been removed. Support HTTP/2 without the use of a custom --extraLibFolder option. pull 7117, JENKINS-69624 , pull 7277, JENKINS-69509 , Winstone 6.0 changelog, Winstone 6.1 changelog, Winstone 6.2 changelog, Winstone 6.3 changelog, Winstone 6.4 changelog, Winstone 6.5 changelog, Winstone 6.6 changelog, Jetty 10 and 11 blog post, Jetty 10.0.12 changelog, HTTPS with an existing certificate, Remove ability to load pem cert for winstone
Add sidebar to plugin manager, increase search bar size. pull 6783
Add support for Apple's touch bar icons. pull 6768
Removed: The signed jenkins-parent-${JENKINS_VERSION}-src.zip source archives have been removed from Artifactory for future releases. Users who wish to download source archives for offline consumption are encouraged to do so via GitHub. pull 7061, Artifactory, GitHub source code download
Display email form validation errors near the data entry field in the setup form. JENKINS-68952
Show recommended actions (e.g., to update affected plugins) in security warnings popup. pull 7046
Clarify safe restart won't wait for Pipeline jobs. pull 7091
Allow form checker to check more than one thing at a time. pull 6951
Add documentation for the --paramsFromStdIn and --version command-line options. pull 7246

Bug fix

Fix sorting of British currency in tables. pull 7250
Improve build progress animation when refreshing parts of the history/executors widget. JENKINS-68627
Fix the resize behavior of Execute Shell build steps. JENKINS-69320
Fix searchBar is null issue in setup wizard and when using custom Jenkins headers. JENKINS-69250
Ensure that temporary network partitions do not cancel the WebSocket ping thread (regression in 2.363). pull 7195

Major bug fix

Prevent a stack overflow when loading a queue (regression in 2.361). JENKINS-69850

Major bug fix

Fix a race condition that causes file descriptor leaks when cloud agents are created (regression in 2.294). JENKINS-69534

Bug fix

Model link chevron is not in center in user build cause on console log. JENKINS-69257
Table columns get wider or smaller depending on the sort selection. JENKINS-67864

Major bug fix

Fix thread safety in websockets handling. JENKINS-69543

Bug fix

Fix the resize behavior of Execute Shell build steps (regression in 2.321 or 2.357). JENKINS-69320
Fix a potential FileAlreadyExistsException error on startup on systems with slow I/O. JENKINS-67624
Fix Plugin Manager selection buttons appearance. JENKINS-69467
Fix Java version check in /etc/init.d/jenkins. JENKINS-69570
Properly reset attributes of cached symbols. JENKINS-68805

Changes since 2.361

Security

Important security fix. 2022-09-09 security advisory

Major enhancement

Winstone 6.1: Upgrade Jetty from 9.4.46.v20220331 to 10.0.11. Remove support for OpenSSL-style PEM-encoded RSA private keys when running Jenkins with the embedded Jetty container and TLS. Winstone 6.0 Changelog, Winstone 6.1 Changelog, Jetty blog, Remove ability to load pem cert for winstone
Update to various UI elements. Modernize tables, forms, and progress bars. pull 6963, JENKINS-69240 , pull 6961, JENKINS-69230 , pull 6957, JENKINS-69211 , pull 6930, JENKINS-68957 , pull 6728, JENKINS-68578 , pull 6922, JENKINS-68851

Major bug fix

Fix an error when rebuilding jobs triggered by polling (regression in 2.358). JENKINS-69210
Update Jenkins pom from 1.83 to 1.84. Ensure jar files and javadoc are up to date for 2.361.1. JENKINS-69198

Bug fix

Upgrade Remoting from 3025.vf64a_a_3da_6b_55 to 3044.vb_940a_a_e4f72e to improve performance of previous fix for java.lang.OutOfMemoryError: unable to create new native thread on agents. pull 6936, JENKINS-65873 , JENKINS-68954 , Remoting 3028.va_a_436db_35078 changelog, Remoting 3044.vb_940a_a_e4f72e changelog
Use correct icon lookup, even when plugin ID includes multiple occurrences of "plugin". JENKINS-68801
Fix sorting list of installed plugins by timestamp in plugin manager (regression in 2.274). JENKINS-68750
Build number cut off on Safari (regression in 2.344). JENKINS-68390
Script console input box is not sizeable, yet the box looks like it is (regression in 2.321). JENKINS-68380
Developer: Temporarily restore compatibility with PowerMock-based tests (regression in 2.361.1 RC 1). PowerMock will be completely removed on or after June 1, 2023. JENKINS-69250

Notable changes since 2.346.3

Major enhancement

Require Java 11 or newer. Blog post, JENKINS-68570 , JEP-236, pull 6083
New design for project configuration page. Navigation links available on left side of screen. JENKINS-68282
Update to various UI elements. Modernize tables, forms, and progress bars. pull 6760, JENKINS-68912 , pull 6698, JENKINS-68934 , pull 6687, JENKINS-68198 , pull 6651, JENKINS-68672

Enhancement

The instance-identity module has been converted to a detached plugin. JENKINS-55582
Update the minimum required Remoting version to 4.2.1. pull 6671
Keyboard shortcut added to focus global search bar (⌘ + K/CTRL + K). pull 6893
Blocked upstream projects in the queue block downstream projects when the option "Block build when upstream project is building" is enabled for the downstream project. Similarly, blocked downstream projects in the queue block upstream projects when the option "Block build when downstream project is building" is enabled for the upstream project. JENKINS-68780
Add breadcrumbs to "Manage Jenkins" and children of it. Developers should ensure they use relative links for navigating between pages if they are a child of "Manage Jenkins". pull 6126
Use native Java Platform functionality rather than Ant to load classes. The old behavior can be restored by setting -Dhudson.ClassicPluginStrategy.useAntClassLoader=true. pull 6571
Remove Java Web Start support for launching inbound agents, along with the GUI mode, the platform-specific agent installers, and the JAR signature. pull 6543, Java Web Start

Bug fix

Connect breadcrumb context menus to items in subfolders. JENKINS-68906
Fix websocket reconnection in edge cases. Upgrade from Remoting 4.13 to 3044.vb_940a_a_e4f72e. pull 6576, JENKINS-68542 , Remoting 3025.vf64a_a_3da_6b_55 changelog, Remoting 3028.va_a_436db_35078 changelog, Remoting 3044.vb_940a_a_e4f72e changelog
Revert prior attempts to make log records collectible by limiting discarded messages. JENKINS-68417

Enhancement

Upgrade Spring Framework from 5.3.19 to 5.3.20. pull 6565, Spring Framework 5.3.20 changelog, CVE-2022-22970, CVE-2022-22971

Bug fix

Revert prior attempts to make log records collectible by limiting discarded messages. JENKINS-68417
Connect breadcrumb context menus to items in subfolders. JENKINS-68906
Improve progress bar visibility in shaded rows. JENKINS-68672
Update Remoting from 4.13.2 to 4.13.3 to improve performance of previous fix for java.lang.OutOfMemoryError: unable to create new native thread on agents. JENKINS-65873

Enhancement

Remove deprecated Docker plugin installation script install-plugins.sh. Use plugin installation manager tool through the jenkins-plugin-cli script in the Docker image. Docker pull request 1408, Plugin installation manager tool documentation

Bug fix

Ignore duplicate log recorders keyed by same name. JENKINS-68752
Display job icons correctly on the Jenkins dashboard, even when a non-empty context path alters the URL (regression in 2.346.1). JENKINS-68639
Show all log messages when an inbound agent fails to connect (regression in 2.310). JENKINS-68785
Plugins selected for update cannot be unselected once the update has started. JENKINS-68730
Fix offset of radio buttons when selected. JENKINS-68799
Make previous boot attempt timestamps available to boot-failure.groovy startup hooks (regression in 2.308). JENKINS-68848

Changes since 2.346

Security

Important security fixes. security advisory

Enhancement

Remove SSH Plugin from setup wizard plugin selection. JENKINS-68556
Allow running on Java 17 without --enable-future-java. pull 6602
Show remote class loader statistics of agents with new table layout. JENKINS-68591
Update bundled Script Security Plugin from 1.75 to v35f6a_0b_8207e Update bundled WMI Windows Agents Plugin from 1.0 to 1.8.1 pull 6582, 2022-05-17 security advisory

Bug fix

Fix indistinguishable build scheduling icon when the job is already in-queue (regression in 2.321). JENKINS-68303
Fix the position of the help button when it is not directly attached to an object (regression in 2.320). JENKINS-68042
Restore actions icon size lookup (regression in 2.341). JENKINS-68296
Fix a runtime error when viewing the build time trend on Java 17. JENKINS-68215
Provide supporting infrastructure to enable Pipeline: Groovy to work around a metaspace memory leak for users running Pipeline jobs on Java 11. pull 6597, JENKINS-63766 , JDK-8231454 metaspace leak
Restore the frame color of the build progress bar of the executor widget. pull 6607
Keep the Save and Apply buttons in front of menus (regression in 2.337). JENKINS-68640
Fix WebSocket reconnection in edge cases. Upgrade from Remoting 4.13 to 4.13.2. pull 6576, JENKINS-68542 , Remoting 4.13.2 changelog
Fix class attribute for Jenkins Symbols using <l:icon … />. JENKINS-68630

Notable changes since 2.332.4

Major enhancement

Modernise form components and Jenkins UI. JENKINS-67396 , pull 6084, pull 6442, JENKINS-68293 , pull 5743, JENKINS-68284 , pull 6473, pull 6295, pull 6273, pull 6229, pull 6307, pull 5778, pull 6248, pull 5417, pull 6186

Major bug fix

Update Remoting from 4.11.2 to 4.13 to allow Java Web Start agents to connect (regression in 2.318). Allow agent reconnects on Java 11 and WebSocket. Prevent infinite loop in case of a closed SSL connection. pull 5983, pull 6329, JENKINS-67000 , JENKINS-66446 , JENKINS-67928 , Remoting 4.12 changelog, Remoting 4.13 changelog

Enhancement

Reject connections from agents with unsupported Remoting versions. JENKINS-50211
Update site warnings can now be configured with Configuration as Code. Allow setting a user's primary view via Configuration as Code. pull 6202, JENKINS-56057 , pull 6203, JENKINS-61985
Remove support for RoleChecker#check(RoleSensitive) calls which were added again in Jenkins 2.319. All remoting Callable implementations need to perform an actual role check as documented. pull 5901, Remoting callables documentation
Remove the Java Native Runtime (JNR) library from Jenkins core. pull 6323, Java Native Runtime project
Remove unused glibc package from Alpine-based Docker images. Docker pull request 1361
Remove unnecessary packages from Debian-based Docker images. Docker pull request 1375
Winstone 5.24 - Add an option to write the listening port to a file. Remove automatic self-signed certificate if TLS is specified but no keystore pull 5928, JENKINS-66379 , Winstone 5.23 changelog, Winstone 5.24 changelog
Add slim Debian-based JDK 17 Docker image. Docker pull request 1360
Add Alpine-based JDK 17 Docker image. Docker pull request 1362

Bug fix

Render the question mark on the new help button only once so that it is not shown twice, even while using different themes. pull 6233
Wait for the computation to finish when triggering a new build while the build graph is being recomputed. This guarantees that recently updated build triggers are executed. JENKINS-67237

Security

Important security fixes. security advisory

Enhancement

Remove SSH Plugin from setup wizard plugin selection. JENKINS-68556

Major bug fix

Avoid a deadlock between agent class loading and logging. JENKINS-68122

Enhancement

Replace the computer-flash GIF icon with the hourglass icon. JENKINS-67742
Make "View build information" pages readonly for users who don't have permission. JENKINS-67967
Upgrade bundled Jackson 2 API plugin from 2.12.0 to 2.13.2.20220328-273.v11d70a_b_a_1a_52. JENKINS-68276 , pull 6480, Jackson 2 API plugin changelogs

Bug fix

Allow filtering updates in plugin manager by plugin ID (regression in 2.320). JENKINS-68260
Display log entries with missing logger names in the log viewer. pull 6310
Preserve load statistics data for label expressions. JENKINS-68055
Fix bad encoding of security warnings in French showing special characters. pull 6382

Enhancement

Show warning dialog if Java 8 is selected in Windows installer. JENKINS-68170 , pull 306 (packaging)

Bug fix

Prefer --httpPort from JENKINS_ARGS over HTTP_PORT when the two differ. JENKINS-68007 , pull 296 (packaging)
Remove unnecessary log spam when starting Jenkins under systemd on Debian 11 (regression in 2.333 and 2.332.1). JENKINS-67995
Don't show build status on jobs that are not yet built (regression in 2.321). JENKINS-67797
Ensure inbound agent restart logic is applied. JENKINS-66446
Recover gracefully after incorrect merge of /etc/sysconfig/jenkins on Red Hat-based systems. JENKINS-68149 , pull 301 (packaging)

Changes since 2.332

Enhancement

Switch Linux installers from System V init to systemd. JENKINS-41218
Update the bundled Matrix Project plugin from 1.18 to 1.20. pull 6180, JENKINS-67674 , 2022-01-12 security advisory
Update bundled Display URL API plugin to prevent issues starting the mailer plugin for offline installations. JENKINS-67885

Bug fix

Keep the same height when dragging and dropping a component (regression in 2.277). JENKINS-67496
Correctly render expandable text boxes into multiple lines (regression in 2.197 and 2.176.4). JENKINS-67627
Show correct feature name in tooltips of help links (regression in 2.179). JENKINS-67662
Launch only one agent to satisfy cloud agent requests that use label expressions. JENKINS-67635
Truncate long build names again (regression in 2.332). JENKINS-67689
Overwrite grey balls icon with the modern "not built" status. JENKINS-67753
Render the question mark on the new help button only once so that it is not shown twice, even while using different themes. pull 6233
Update remoting from 4.11 to 4.12 to allow Java web start agents to connect (regression in 2.318). pull 5983, JENKINS-67000 , Remoting 4.11.2 changelog, Remoting 4.12 changelog
Restart systemd service when the controller exits unexpectedly. JENKINS-56219
Restart the Jenkins service after plugin updates on Debian 11 (bullseye). JENKINS-65809

Notable changes since 2.319.3

Major enhancement

Always enable the agent-to-controller security subsystem. Remove the admin-customizable allowlists for callables and file paths. Remove the ability to access some files on the controller from agents. Use the Plugin Manager to upgrade incompatible plugins. pull 5885, JENKINS-67173 , the issue tracker
Upgrade the Guava library from 11.0.1 (released on January 9, 2012) to 31.0.1 (released on September 27, 2021). Plugins have already been prepared to support the new version of Guava. Use the Plugin Manager to upgrade all plugins before and after upgrading Jenkins. pull 5707, JENKINS-36779 , JEP-233, Guava web site, Guava 31.0.1 changelog

Enhancement

Modernise the table design. Add support for Ionicons. Improve the usability and layout of the 'Plugin Manager' page with better controls and a 'Report an issue' link for each plugin. Update the 'New view', 'New node', 'About', 'System Info', and 'Log Recorder' pages. pull 5851, pull 5925, pull 5842, pull 6055, pull 5916, pull 5358, JENKINS-65113
Allow the plugin manager to upload by URL in addition to upload by file name. JENKINS-4814
Improve visualization of the 'Environment Variables' page. pull 6096
Improve artifact list readability in dark theme. pull 5889
Use CSS animation for console progress. pull 5871
Remove support for plugins written in JRuby or Jython. JRuby support has been removed from the Stapler web framework used in Jenkins core. Plugins written in JRuby and Jython have not been distributed by update center since January 22, 2022. pull 6103, JEP-7: Deprecation of Ruby and Python plugin runtimes, Deprecating non-Java plugins (blog post), Stapler repository, JRuby project
Remove support for setting the Jenkins home directory via Java Naming and Directory Interface (JNDI). pull 6111
Developer: Provide a stable version of ObjectWebASM (currently 9.1) on the classpath. pull 5524, ObjectWebASM web site
Developer: Use the upstream version of AntClassLoader without custom patches. pull 5856

Security

Security fix. security advisory

Bug fix

Fix ClassNotFoundException: io.jenkins.cli.shaded.org.w3c.dom.Node when using JAXB. JENKINS-67470
Launch only one agent to satisfy cloud agent requests that use label expressions. JENKINS-67635

Enhancement

Upgrade the XStream library from 1.4.18 to 1.4.19. Addresses the CVE-2021-43859 security vulnerability when unmarshalling highly recursive collections or maps causing a Denial of Service. pull 6231, XStream 1.4.19 changelog, XStream CVE-2021-43859

Security

Security fix. security advisory

Enhancement

Only apply trimLabels operation to affected nodes when adding or removing them. JENKINS-67099
Improve FilePath telemetry collection and its description. JENKINS-67332 , JENKINS-67226 , pull 5957, pull 6031, pull 6061

Changes since 2.319

Bug fix

Do not attempt to canonicalize tar entries when untaring, as the result may be unexpected for symlinks. JENKINS-67063
Fix form submission for file access rules of agent to controller security subsystem (regression in 2.111). pull 5881, JENKINS-67061 , Upgrade guide - Agent to controller path filter security fixes
Fix missing hyperlink in build history (regression in 2.314). JENKINS-67028
An exception thrown by a RestartListener no longer leaves Jenkins in a zombie-like state. JENKINS-67002
Prevent LinkageError during class loading (regression in 2.309). JENKINS-66993
Show ongoing first build in build history (regression in 2.314). JENKINS-66969
Jenkins startup could hang due to a deadlock in class loading. JENKINS-67188
Display the "Configure System" icon in the drop down menu. JENKINS-67033

Notable changes since 2.303.3

Major enhancement

Replace the term "master" for the main Jenkins application with "controller" or "built-in node" in user interface strings and documentation. New installations get the new node and label immediately. Existing installations do not change the node name (e.g. NODE_NAME environment variable) or label of the built-in node until an administrator explicitly performs the migration. If a job definition, Pipeline definition, or tool installer reference must be tied to the built-in node, it should use the label "built-in". Upgrade guide - Built-In Node Name and Label Migration

Enhancement

Modernise the "Manage Jenkins" screen. pull 5693
Modernise the "Build History" search bar. pull 5692
Update appearance for feed bar and description button to be modern and consistent. pull 5664
Improve layout of console output header. pull 5507
Show new status icons in build history. JENKINS-66659
Update tooltips to be consistent across Jenkins. pull 5763
Use SVGs over PNGs for the sidebar when possible. Breadcrumb bar/logo/menu items are now correctly aligned on the left together. Move old war/images folder to webapp so they can be used in frontend - the SVGs are now in the webapp/images/svgs folder. pull 5663
Replace the old icons with the new SVG icons in the job trend page. JENKINS-65928
Graphs now scale correctly on high resolution screens. pull 5697
Screen resolution cookie now has the secure flag set when Jenkins is running on HTTPS. JENKINS-49675
Deprecate the -cp option in the remoting agent.jar command line. Upgrade from Remoting 4.10 to Remoting 4.11. pull 5821, JENKINS-64831 , Remoting 4.11 changelog
When the buildWithParameter API is called, if the requests with the same parameters in the queue are merged, the http response code of the request uses a more appropriate 303(see other) instead of 201(created). JENKINS-66105
Remove deprecated, unsafe classes previously copied from Apache Ant. Docker Slaves plugin is incompatible with this change. JENKINS-66930
Load classes from plugins in parallel for faster startup on multicore machines. JENKINS-23784
Remove the Woodstox implementation of the StAX API from Jenkins core. Users of the Azure Artifact Manager, Azure Container Agents, Azure Storage, and Azure SDK API plugins must upgrade those plugins to the latest versions in lockstep with this core upgrade. Plugins that consume Woodstox should depend on it directly or via the Jackson 2 API plugin. pull 5651, Woodstox implementation, StAX API, Azure Artifact Manager plugin, Azure Container Agents plugin, Azure Storage plugin, Azure SDK API plugin, Jackson 2 API plugin
Internal: Experimental support for URLClassLoader can be enabled by setting hudson.ClassicPluginStrategy.useAntClassLoader=false. pull 5698

Bug fix

Fix wrong parameter type for Text Parameter when triggering a build via the buildWithParameters API call. pull 5704
Use the JVM's default keystore type for the Jenkins server when terminating TLS connections within Jenkins. Used if Jenkins is started with the --httpsPort argument. Winstone 5.21: Update Jetty from 9.4.42.v20210604 to Jetty 9.4.43.v20210629. pull 5670, JENKINS-66379 , Winstone 5.20 changelog, Winstone 5.21 changelog, Jetty 9.4.43 changelog
Correction of label expression including a "implies" relationship without spaces around. JENKINS-66613
Fix agent handshake when connecting over Websocket on Java 11. Upgrade from Remoting 4.10 to Remoting 4.11. pull 5821, JENKINS-61212 , Remoting 4.11 changelog

Security

Important security fixes. security advisory

Major enhancement

Security hardening: Require role check for remoting callables. LTS upgrade guide, developer documentation

Enhancement

Always allow configuring agent-to-controller security subsystem.

Bug fix

Correction of Label expression including a "implies" relationship without spaces around. JENKINS-66613

Security

Security fixes. security advisory

Enhancement

Security hardening: The "short description" of build causes is now defined as plain text instead of HTML. related LTS upgrade guide entry, related developer documentation
Bump bundled Ant from 1.10.10 to 1.10.11. pull 5620
Upgrade from xstream 1.4.17 to 1.4.18. pull 5685, JENKINS-66507 , XStream 1.4.18

Bug fix

Allow Jenkins to start when the JCasC configuration defines view-related permissions (regression in 2.302). JENKINS-66470
Use the JVM's default keystore type for the Jenkins server when terminating TLS connections within Jenkins. Used if Jenkins is started with the --httpsPort argument. Winstone 5.21: Update Jetty from 9.4.42.v20210604 to Jetty 9.4.43.v20210629. pull 5670, JENKINS-66379 , Winstone 5.20 changelog, Winstone 5.21 changelog, Jetty 9.4.43 changelog
Fix wrong parameter type for Text Parameter when triggering a build via the buildWithParameters API call. pull 5704

Changes since 2.303

Bug fix

Fix an issue unzipping archives in a corner case when entries have the same path prefix as the target location. JENKINS-66094
Detect files in a symlink that points to a directory (regression in 2.301). Bump Commons IO to 2.11.0. pull 5675, JENKINS-66413 , Apache Commons-IO issue 741
Show tooltips when users hover on the SVG icons. JENKINS-65923

Enhancement

Use Java 11 in Docker images instead of Java 8. Blog post
Allow Java 11 administrative monitor to be disabled with a system property. JENKINS-66177

Notable changes since 2.289.3

Major bug fix

Fix SSH command line interface (CLI) authentication (regression in 2.284). JENKINS-65273
Fix NoSuchMethodError when using plugins that rely on bridge methods for compatibility (regression in 2.278). JENKINS-65605

Major enhancement

Remove Apache Commons Digester library and related code from the Jenkins core. pull 5320, JENKINS-65161 , Announcement and upgrade guidelines

Bug fix

Jenkins redirects users to the previous page after login even if they were able to view it while not logged in (regression in 2.266). JENKINS-64991
Improve contrast for the checkbox in the login page. pull 5536

Enhancement

Recommend running on Java 11. JENKINS-65577
Display Pipeline builds among user build history and remove incorrect warning about view build history. JENKINS-59412
Show implied plugin dependencies or a count of dependencies for plugins split from core. pull 5472
Explain that some plugin updates can be unavailable even on the latest version of a given release line (i.e. LTS). pull 5462
Update French terminology for controller. JENKINS-65398
Change the word 'number' to 'integer' in the error message of the number field. pull 5538
The Jenkins process management functionality now supports FreeBSD. pull 5563
Optimize access control checks affecting (at least) Pipeline node steps. pull 5586
Remove JEP-200 compatibility workarounds for releases published before February 2018 of the following plugins: Maven Integration, Job DSL, Monitoring, Git Client, Pipeline: Supporting APIs, OWASP Dependency-Check. pull 5454, Plugin versions with a fix, JEP-200
Update Stapler from 1.263 to 1563.v3da2d02f9572 to improve performance when encoding unicode characters in JSON API. pull 5422, Stapler 1527.ve41b3ce15c05 changelog, Stapler 1532.vfcf95addcb5f changelog, pull 5549, Stapler 1539.v2f05ce93882d changelog, Stapler 1563.v3da2d02f9572 changelog
Stop bundling the External Monitor Job Type, LDAP, and PAM Authentication plugins. Jenkins will no longer automatically install the External Monitor Job Type, LDAP, or PAM Authentication plugins on startup if a plugin depending on Jenkins 1.467 or earlier is discovered. If you use such a plugin that also relies on the functionality provided by the External Monitor Job Type, LDAP, or PAM Authentication plugin and manage plugins outside Jenkins' plugin manager, you will now need to ensure that a recent release of the External Monitor Job Type, LDAP, or PAM Authentication plugin is installed. Jenkins will attempt to load such plugins but may fail at any time during startup or afterwards with ClassNotFoundException or similar. pull 5445, External Monitor Job Type plugin, LDAP plugin, PAM Authentication plugin
Winstone 5.19: Update Jetty from 9.4.41.v20210516 to Jetty 9.4.42.v20210604. pull 5589, Winstone 5.19 changelog, Jetty 9.4.42 changelog
Bump spring-security-bom from 5.4.6 to 5.5.1. pull 5505, Spring project spring-security 5.5.0 release notes, pull 5598, Spring project spring-security 5.5.1 release notes
Bump sshd-core from 2.5.1 to 2.7.0 in Jenkins CLI. pull 5547
Add X-Frame-Options header to AJAX responses. pull 5555
Remove the Bytecode Compatibility Transformer library and related code from Jenkins core. Developer: Plugins that rely on the hudson.model.Queue$Item#id or hudson.model.AbstractProject#triggers fields must be updated to call the corresponding getters. pull 5526, Vertx plugin, Slave Prerequisites plugin
Stop sending HTTP response headers related to the remoting-based CLI (removed in 2.165). pull 5452
Internal: Upgrade from Remoting 4.7 to Remoting 4.10 with bugfixes and dependency updates. pull 5478, JENKINS-40700 , Remoting 4.8 changelog, pull 5539, Remoting 4.9 changelog, pull 5607, Remoting 4.10 changelog
Developer: Remove JTidy dependency from Jenkins core. Plugins that use JTidy functionality must be updated to explicitly declare a dependency on JTidy rather than relying on Jenkins core to provide this library. pull 5521, NIS notification lamp plugin
Developer: InterceptingExecutorService and its subclasses no longer extend com.google.common.util.concurrent.ForwardingExecutorService or com.google.common.collect.ForwardingObject. pull 5565
Developer: Remove jna-posix dependency from Jenkins core. Plugins that use jna-posix functionality must be migrated from jna-posix to jnr-posix. pull 5560, Maven Repository Scheduled Cleanup plugin, SICCI for Xcode plugin, java.io.tmpdir cleaner plugin
Developer: The hudson.util.SubClassGenerator and experimental hudson.model.TreeView class have been removed without replacement. pull 5566, pull 5603

Bug fix

Improve build status progress animation. JENKINS-65574

Security

Important security fixes. security advisory

Enhancement

Winstone 5.18: Update Jetty from 9.4.39.v20210325 to 9.4.41.v20210516 for bug fixes and enhancements. JENKINS-65624 , pull 5437, pull 5540, Winstone 5.17 changelog, Winstone 5.18 changelog, Jetty 9.4.40 changelog, Jetty 9.4.41 changelog
Update from xstream 1.4.16 to 1.4.17. pull 5498, JENKINS-65657 , XStream 1.4.17

Bug fix

Prepare for form submission changes in future Firefox releases. Adapt form validation for all web browsers and form validation test automation for HtmlUnit based tests. JENKINS-65585 , pull 5479, pull 5405
A race condition in class loading could result in a LinkageError. JENKINS-65766
Do not change fonts when build artifacts are as shown as a tree. JENKINS-65751
Jenkins redirects users to the previous page after login even if they were able to view it while not logged in (regression in 2.266). JENKINS-64991
Fix incorrect process termination issues when running on macOS. JENKINS-65195
Add check to prevent out of bounds memory access error on macOS. JENKINS-64347

Changes since 2.289

Major bug fix

Fix NoSuchMethodError when using plugins that rely on bridge methods for compatibility (regression in 2.278). JENKINS-65605

Bug fix

Fix form submission for some specific form validation cases (regression in 2.289). JENKINS-65585
Wrap the build name in the build results list if it is too long. JENKINS-65190
Improve performance for standard input of the Jenkins CLI, for example with the `install-plugin` command. JENKINS-64294
Fix an issue archiving files greater than 4 GiB in size when creating ZIP64 archives. JENKINS-52356

Notable changes since 2.277.4

Major enhancement

SSHD module is no longer bundled in Jenkins core. Provide SSHD as a plugin. JENKINS-55582 , JENKINS-64107 , pull 5049, pull 5206, SSHD module repository
Add modern icons: build status and weather. pull 5065, pull 5392
Developer: Add support for plugins to use external SVG sprites in their icons. pull 5065, Example external SVG sprite implementation in GitHub Branch Source plugin

Enhancement

Add administrative monitors recommending no executors are configured on the controller. pull 5337
Add indicator for security-related entries in the global administrative monitors configuration. pull 5078
Improve UI of slow trigger administrative monitor. pull 5424
Support 'min' and 'max' values in field definitions of forms. JENKINS-63855
Improve button focus states. pull 5291
Do not force plugin upgrades of recently detached plugins. pull 5311
Stop bundling the Ant and Javadoc plugins. Jenkins will no longer automatically install the Ant and Javadoc plugins on startup if a plugin depending on Jenkins 1.430 or earlier is discovered. If you use such a plugin that also relies on the functionality provided by the Ant or Javadoc plugin (e.g., the RAD Builder and manage plugins outside the Jenkins plugin manager, you will now need to ensure that a recent release of the Ant or Javadoc plugin is installed. Jenkins will attempt to load such plugins but may fail at any time during startup or afterwards with ClassNotFoundException or similar. pull 5338, Ant plugin, Javadoc plugin, RAD Builder plugin
Improve performance when creating or deleting nodes by reducing queue-lock contention. pull 5402, pull 5412, JENKINS-65308
Improve support for update site-defined setup wizard suggestions. JENKINS-65172
Switch to sending POST requests by default for form validation URLs. pull 4623
Add a Jenkins User-Agent header to outgoing HTTP requests by default. Use jenkins.UserAgentURLConnectionDecorator.disabled to disable it if needed. pull 5368
Remove the hardcoded JKS key store so that other key stores can be used, like BCFKS from the FIPS version of Bouncy Castle. pull 5266
Upgrade from Remoting 4.6 to Remoting 4.7 with bugfixes and dependency updates. pull 5292, Remoting 4.7 changelog
Upgrade bouncycastle-api plugin from 2.16.0 to 2.20. Upgrade Bouncy Castle library to 1.64. pull 5347, bouncycastle-api 2.20 changelog, bouncycastle-api 2.18 changelog, bouncycastle-api 2.17 changelog, bouncycastle-api 2.16.3 changelog, bouncycastle-api 2.16.2 changelog, bouncycastle-api 2.16.1 changelog, Bouncy Castle library 1.64 release notes
Bump spring-security-bom from 5.4.5 to 5.4.6. pull 5413, Spring project spring-security 5.4.6 release notes
Internal: Update Stapler from 1.262.1 to 1.263 to use latest Apache commons-beanutils. Update Apache commons-beanutils from 1.9.3 to 1.9.4. pull 5324, Stapler 1.263 release notes, Apache commons beanutils 1.9.4 release notes

Bug fix

Sort available plugins by name when popularity is equal. pull 5359
Honor the current folder when creating new views with the "New View" link. JENKINS-56934
Do not render full error responses in case of internal errors when validating fields in configuration forms. JENKINS-65017
Accept negative numbers in number input controls (regression in 2.274). pull 5341
Improve reconnection behavior for inbound TCP agents. JENKINS-64510

Bug fix

Fix disabled dropdown items to appear disabled (regression in 2.277.1). JENKINS-65021
Fix load statistics graph links to include correct graph duration (regression in 2.277.1). JENKINS-65336
Honor the current folder when creating new views with the "New View" link. JENKINS-56934

Enhancement

Upgrade from xstream 1.4.15 to 1.4.16. pull 5360, JENKINS-65281 , XStream 1.4.16

Security

Important security fix. security advisory

Enhancement

Winstone 5.16: Update Jetty from 9.4.38.v20210224 to 9.4.39.v20210325 for bug fixes and enhancements. pull 5380, Winstone 5.16 changelog, Jetty 9.4.39.v20210325 changelog

Security

Security fixes. security advisory

Major bug fix

Fix help buttons in the draggable section (regression in 2.277.1). JENKINS-64972

Enhancement

Security hardening against some CSRF attacks. related upgrade guide entry

Bug fix

Fix NoClassDefFoundError exception while executing ProcessTree.get(). JENKINS-62006
Prevent Jenkins queue deadlock when cancelling tasks under certain conditions. JENKINS-64931
Reduce logging of renamed API endpoint. JENKINS-65186

As described in the Major changes in the weekly release line blog post, this release improves key user interface components. Configuration user interfaces now use html div markup to present a better layout than the previous html table layout. Configuration pages are now easier to read, easier to understand, and work better on a wide range of screens. See the Jenkins issue tracker for a list of plugins known to have issues with the change.

As described in the Spring and XStream updates (breaking changes!) blog post, this release updates and replaces outdated internal components. The Acegi security library used for authentication has been replaced by Spring Security (JEP-227). See the Spring Security compatibility table for the latest plugin compatibility status. A fork of the XStream library used to read and write XML files has been replaced by the upstream version of XStream (JEP-228). See the XStream compatibility table for the latest plugin compatibility status.

Known IssuesIf your Jenkins instance was created before Jenkins 2.4 or 2.7.1 LTS, a Setup Wizard may appear on the startup after the upgrade. In such a case, a Jenkins admin may need to skip the plugin installation. See the upgrade guide for the detailed guidelines.

Changes since 2.277

Security

Important security fix. This vulnerability does not exist in any Jenkins LTS release. It was discovered in a weekly release and fixed in a weekly release without being part of an LTS release. security advisory, Spring Security 5.4.4 release notes, Spring Security 5.4.3 release notes

Major bug fix

Show available plugin updates by reloading update center data on upgrade/downgrade. JENKINS-41727
Fix Internet Explorer 11 rendering of the Available plugins tab (regression in 2.270). JENKINS-64805
Include 'plugin-id' and 'plugin-version' data attributes in the Available plugins tab (regression in 2.270). JENKINS-64775
Fix plugin search over multiple update sites (regression in 2.270). JENKINS-64840

Bug fix

Restore, as deprecated, the old constructor based on acegisecurity Authentication parameter in order to keep backward compatibility. JENKINS-64746 , pull 5216, Spring Security 5.4.2 release notes

Notable changes since 2.263.4

Major enhancement

Change Jenkins configuration UI from tables to divs for layout in forms. JENKINS-56109 , pull 3895, Table to div layout migration guide
Massive performance enhancement to available plugins page of Plugin Manager. Exact matches of plugin name are moved to the top. JENKINS-64196
Developer: Use an updated version of the XStream serialization library without custom patches. pull 4944, pull 5115, JEP-227, Spring and XStream updates (breaking changes!) blog post, XStream 1.4.14 changelog, XStream 1.4.15 changelog
Developer: Use Spring Security rather than its predecessor, Acegi Security. Other bundled Spring libraries are also updated. pull 4948, pull 5166, JEP-228, Spring and XStream updates (breaking changes!) blog post, Spring Security 5.4.2 release notes
Developer: Upgrade jQuery from 2.1.4 to 3.5.1. pull 4929, jQuery older release notes (3.1.1, 3.2.1, 3.3.0, 3.3.1, 3.4.0, 3.4.1), jQuery 3.5.0 release notes, jQuery 3.5.1 release notes

Bug fix

Fix incorrect striping of rows on available page of Plugin Manager. JENKINS-63684
Prevent user input of 'e' or 'E' as 'positive-number', 'non-negative-number', or 'number'. JENKINS-64439
Change the standard URL for obtaining the inbound agent configuration file from ${agent_url}/slave-agent.jnlp to ${agent_url}/jenkins-agent.jnlp. The old name is obsolete and will be removed at a future time. JENKINS-35452

Enhancement

Improve performance of authorisation strategies when the authentication realm is case insensitive. JENKINS-64039
Add the ability to specify a reason for quieting down Jenkins ("Prepare for shutdown"). JENKINS-1877
Dropped support for deprecated system properties: hudson.model.Hudson.logStartupPerformance, hudson.model.Hudson.initLogLevel, hudson.model.Hudson.parallelLoad, hudson.model.Hudson.killAfterLoad and hudson.model.Hudson.workspaceDirName. Please use jenkins.model.Jenkins.-prefixed SystemProperties. pull 4962
Remove administrative monitor offering to migrate $JENKINS_HOME on a ZFS filesystem. pull 5047
Show security and non-security notifications in separate categories with their associated icons. JENKINS-63977
Reduce page load time by loading the administrative monitors popup on demand. Allow keyboard navigation even when there are active administrative monitors. pull 5063
Use a more accessible color palette in configuration form tabs. pull 5176
Improve fingerprint save performance. pull 5190, pull 5198, JENKINS-64670
Add a system property jenkins.agent.inboundUrl to provide an alternate URL for inbound TCP agents. JENKINS-63222
Drop support for deprecated system properties: hudson.model.Hudson.logStartupPerformance, hudson.model.Hudson.initLogLevel, hudson.model.Hudson.parallelLoad, hudson.model.Hudson.killAfterLoad and hudson.model.Hudson.workspaceDirName. Please use jenkins.model.Jenkins.-prefixed SystemProperties. pull 4962
Reduce lock contention around Jenkins queue. JENKINS-58101
Stop bundling CVS plugin. Jenkins will no longer automatically install CVS plugin on startup if a plugin depending on Jenkins (then Hudson) 1.340 or earlier is discovered. If you use a plugin that relies on the functionality provided by CVS plugin and manage plugins outside the Jenkins plugin manager, you will now need to ensure yourself that a recent release of CVS plugin is installed. Jenkins will attempt to load such plugins but may fail at any time during startup or afterwards with ClassNotFoundException or similar. pull 5102
Winstone 5.15: Update Jetty from 9.4.30.v20200611 to 9.4.38.v20210224 for bug fixes and enhancements. JENKINS-64035 , pull 5034, pull 5122, pull 5332, Winstone 5.12 changelog, Winstone 5.13 changelog, Winstone 5.14 changelog, Winstone 5.15 changelog, Jetty 9.4.31.v20200723 changelog, Jetty 9.4.32.v20200930 changelog, Jetty 9.4.33.v20201020 changelog, Jetty 9.4.34 changelog, Jetty 9.4.35 changelog, Jetty 9.4.36 changelog, Jetty 9.4.37 changelog, Jetty 9.4.38 changelog
Upgrade from Remoting 4.5 to Remoting 4.6 with bugfixes and dependency updates. pull 5043, Remoting 4.6 changelog
Update stapler to 1.262 to fix a number of IllegalReflectiveAccessWarnings when running on Java 11. pull 5111, Stapler 1.262 changelog
Update jnr-posix library from 3.0.45 to 3.1.4. pull 5129, Commits from jnr-posix 3.0.45 to 3.1.4
Update Java native access (jna) library from 5.3.1 to 5.6.0 for more recent platform library fixes and enhancements. pull 5125, JNA 5.6.0 changelog, JNA 5.5.0 changelog, JNA 5.4.0 changelog

Enhancement

Improve performance in fingerprint file creation. JENKINS-64670

Bug fix

Use the correct freestyle font-size for descriptions. JENKINS-64332
Don't tell user's to signup when signup is not available. JENKINS-64426

Security

Security fix. 2021-01-26 security advisory

Major bug fix

Provide a default implementation of the "all files in zip" download link. This is especially important for external storage plugin (regression in 2.263.2). JENKINS-64655
Fix the file handle leak inside DirectoryBrowserSupport (regression in 2.263.2). pull 5188, JENKINS-64632 , SECURITY-1452
Include root folder in downloaded zip files (regression in 2.263.2). Resolve an additional related zip archive root folder issue. pull 5187, JENKINS-64621 , JENKINS-61473 , SECURITY-1452

Security

Important security fixes. security advisory

Major bug fix

Help text now expands in behaviours for GitHub organization folders (regression in 2.244). JENKINS-64373

Enhancement

Security hardening related to XML processing using Digester2. related upgrade guide entry
Security hardening related to form validation responses. related upgrade guide entry
Security hardening restricting label names. related upgrade guide entry
Internal: Updated Node version to latest LTS (14.15.1). pull 5087

Bug fix

Populate select fields with default values (regression in 2.244). JENKINS-64071 , JENKINS-64125 , pull 5081
Wrong unicode codes in Spanish translation and small improvements. JENKINS-64330

Changes since 2.263

Major bug fix

Fix hidden page elements from radio blocks showing up when they should not. pull 5046, JENKINS-64040 , JENKINS-64136

Bug fix

Fix file handle leak when viewing corrupted build logs. Upgrade Stapler from 1.260 to 1.261. pull 5038, Stapler 1.261 changelog
Prevent the Build History Widget from crashing when users have Discover permissions without Read for folders. JENKINS-63868

Enhancement

Winstone 5.12: Update Jetty from 9.4.30.v20200611 to 9.4.33.v20201020. Introduce LowResourceMonitor from Jetty by upgrading to Winstone 5.12. JENKINS-64035 , pull 5034, pull 4975, Winstone 5.12 changelog, Jetty 9.4.31.v20200723 changelog, Jetty 9.4.32.v20200930 changelog, Jetty 9.4.33.v20201020 changelog
Improve performance of authorisation strategies when the authentication realm is case insensitive. JENKINS-64039

Notable changes since 2.249.3

Major bug fix

Fix Debian / Ubuntu Java version check for Java 11.0.9.1. JENKINS-64212 , pull 198 (packaging)

Major enhancement

Graduate Overall/SystemRead permission to general availability (GA) status. pull 4909, JEP-224
SSHD module 2.7: Remove deprecated key exchange and MAC algorithms. pull 4951, SSHD module 2.7 changelog

Enhancement

SSHD module 2.7: Allow configuring disabled key exchange and MAC algorithms through system properties. pull 4951, SSHD module 2.7 changelog
Improve the layout and clarity of the page displayed when jobs are not yet created. JENKINS-63592
Allow users with the Jenkins/MANAGE permission to restart and safe restart Jenkins. JENKINS-63795
Set Cross-Origin-Opener-Policy to same-origin. pull 4910, Cross-Origin-Opener-Policy at developer.mozilla.org
Improve the scripting capacity related to the API Token system. Provide a way to configure a fixed/default API Token for admin during installation phase. JENKINS-57484
Developer: Improve the combobox component to support default value and readonly mode. pull 4939
Developer: Allow migration of fingerprints from local storage to external storage. JENKINS-62757
Developer: Expose fingerprint range set serialization methods for plugins. pull 4888
Developer: Pluggable Artifact Storage: Make the VirtualFile API generally available to plugin developers. pull 4974, JEP-202
Developer: A SimpleBuildStep or SimpleBuildWrapper can now choose not to require a workspace context (working directory and launcher). JENKINS-46175
Developer: Cloud implementations are given more context about ongoing planned nodes. Add CloudState to be passed to Cloud#provision and Cloud#canProvision methods. pull 4922

Bug fix

Hide description panel in sidebar if historyWidget.descriptionLimit is 0. pull 4978, Features controlled with System Properties
Prevent JavaScript error when registering validators in some cases. JENKINS-42228
Prevent resource leak in the File Fingerprint Storage implementation. pull 4992

Major bug fix

Fix extensions footer location (regression in 2.235.1). pull 4949, pull 5001, JENKINS-63798
Show display names in change list again (regression in 2.249.1). JENKINS-63712

Bug fix

Prevent radio buttons from moving when they are clicked. JENKINS-63332

Major bug fix

Fix migration of status filter when coming from an older version of Jenkins (regression in 2.249.1). JENKINS-62661

Bug fix

Make alert colors consistent with 'Manage Jenkins' alert colors. JENKINS-63330
Avoid warning on logs about Anonymous Class in hudson.FilePath. JENKINS-63563
Fix NullPointerException pollution on logs if PluginDeprecationMonitor is enabled and some conditions are met. JENKINS-63562
Developer: Make unavailable plugin background themeable. JENKINS-63331

Changes since 2.249

Security

Important security fixes from Jenkins 2.252 and 2.235.4. security advisory

Major bug fix

Stop pre-formatting agent logs to prevent deadlocks (regression in 2.231). JENKINS-63458
Fix button that copies API token to clipboard (regression in 2.238). JENKINS-63274
Restore wrapping tabs into multiple lines instead of overflowing (regression in 2.248). JENKINS-63180

Bug fix

Normalize widget colors to be consistent with the new color palette. Fixes bread crumbs flash in Dark Theme
Empty installed plugins table text is readable again (regression in 2.249). JENKINS-63276
Show build time data in the Build Time Trend Page (regression in 2.245). JENKINS-63232
Replace text references to slave with agent in Japanese documentation and messages. JENKINS-63166
Fix backspace key sometimes did not delete text from the Script Console on a Mac (regression in 2.248). JENKINS-63342
Fix regular expression validator UI location (regression in 2.244). JENKINS-63308

Enhancement

Prevent concurrent build deletion. JENKINS-61687

Notable changes since 2.235.5

Major enhancement

Release 'alpha' dark theme. JENKINS-60924 , pull 4752, JENKINS-62515 , pull 4763, pull 4772, pull 4814, pull 4842, pull 4843, Dark Theme repository, Introducing the Jenkins Dark Theme
Stop supporting .NET Framework 2.0 for launching Jenkins server and agents as a Windows service. .NET Framework 4.0 or above is now required. announcement, upgrade guidelines, JENKINS-60005 , JENKINS-61862 , Windows support policy
Update Windows Service Wrapper (WinSW) from 2.3.0 executable for .NET Framework 2.0 to 2.9.0 for .NET Framework 4.0. Includes numerous improvements and bugfixes. Most notably, the service installer will now ask for permission elevation if the required. changes summary, full WinSW changelog, Windows Agent Installer 2.0 changelog

Enhancement

Show in plugin manager when newer releases of plugins exist but aren't being offered due to unsatisfied requirements. Show warnings for deprecated plugins in the update manager and administrative monitors. pull 4073, JENKINS-59136 , pull 4742, JENKINS-62332
Provide a more modern look and feel for the Jenkins UI. JENKINS-62698 , pull 4808, JENKINS-61973 , pull 4700, JENKINS-62750 , pull 4816, JENKINS-56109 , pull 4820, JENKINS-63002 , pull 4835, Configuration UI Accessibility: Tables to Divs migration, pull 4782, JENKINS-4767 , JENKINS-62175
Remove page generation timestamp from the footer. JENKINS-61806
Allow users with Overall/Manage permission to configure Node Monitoring and to reload configuration from disk. JENKINS-62264 , pull 4724, JENKINS-61458 , pull 4728
Add system read support for 'Node Monitoring Configuration', configuring clouds, viewing agent configuration, system information, and logs. JENKINS-61206
Support Bearer tokens in Jenkins-CLI -auth parameter. pull 4673
Security hardening: Always round-trip password form control values in an encrypted form, even if not backed by an encrypted Secret field. In case of problems, this can be disabled by setting the system property hudson.util.Secret.AUTO_ENCRYPT_PASSWORD_CONTROL to false on startup. JENKINS-61808
Security hardening: Always use a placeholder value for password form control values in item related configuration forms when the user is missing Item/Configure permission, even if not backed by an encrypted Secret field. In case of problems, this can be disabled by setting the system property hudson.util.Secret.BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE to false. JENKINS-61808
Update Winstone from 5.9 to 5.10. Update Jetty from 9.4.27.v20200227 to 9.4.30.v20200611. Add --httpsRedirectHttp option that activates automatic HTTP request redirects to HTTPs. pull 4811, 9.4.28.v20200408 changelog, 9.4.29.v20200521 changelog, 9.4.30.v20200611 changelog
Add the ability to filter out environment variables for Shell and Windows batch build steps. JENKINS-62014
Allow fingerprint storage engine to be selected from the configuration page. Add new external fingerprint storage API methods. pull 4834, JENKINS-62345 , pull 4731, JEP-226, Fingerprint API Javadoc, Redis reference implementation
Developer: Add alert-success banner. JENKINS-62747
Developer: Add new extension points to define build step environment filters (currently in beta). JENKINS-62014
Internal: Upgrade to Remoting 4.5. This switches agent.jar and remoting.jar to a code-signing certificate owned by the CDF. pull 4832, Remoting 4.4 changelog, Remoting 4.5 changelog

Bug fix

Fix the default domain name in Windows service serviceaccount configurations. JENKINS-12660 , Windows Service Wrapper 2.7.0 changelog
Fix --httpKeepAliveTimeout option which had no effect (regression in 2.224). JENKINS-61823
Update Stapler from 1.259 to 1.260. JENKINS-61438 , pull 4813, Stapler 1.260 changelog
Fix IllegalArgumentException: Method not found error caused by misbehaviour in Util.isOverridden() (regression in 2.241). JENKINS-62723
Remove the fallback Jenkins URL from the JNLP launch file so that WebSocket agents can be connected over Java Web Start. JENKINS-63014

Security

Important security fixes. security advisory

Major enhancement

Major update of the Alpine-based Jenkins Docker image. Jenkins Docker image for Alpine now uses Alpine 3.12 and AdoptOpenJDK 8u262. upgrade guide

Security

Important security fixes. security advisory

Major enhancement

Use new 64 bit Windows installer with service account checks and port validation. Supports 64 bit Java 8 and 64 bit Java 11. Announcement, Upgrade guide

Bug fix

Allow graceful shutdown when SCM triggers are configured. JENKINS-62695
Fix IllegalArgumentException: Method not found error caused by misbehaviour in Util.isOverridden() (regression in 2.241). JENKINS-62723

Major enhancement

Update Debian and Red Hat repository signing keys for the Jenkins long term support repositories. announcement and upgrade guidelines

Security

Important security fixes. security advisory

Bug fix

Fix --httpKeepAliveTimeout option which had no effect (regression in 2.235.1). JENKINS-61823 , pull 4812, Winstone 5.9.1 changelog
Fix buttons that linger too long after closing modal (regression in 2.233 and 2.235.1). JENKINS-62560

Changes since 2.235

Major bug fix

Make plugin manager work on Internet Explorer 11 again (regression in 2.231). JENKINS-62163
Prevent telemetry warnings about missing javax.annotation classes when running with Java 11 (regression in 2.231). JENKINS-61920
Fix a deadlock involving custom loggers during agent startup (regression in 2.231). JENKINS-62181

Bug fix

Prevent Old Data Monitor from failing plugin loading in the case of class field unmarshalling issues. JENKINS-62231

Notable changes since 2.222.4

Major enhancement

Various improvements to the plugin manager, including: It no longer shows all available plugins by default; use search field to find plugins. They are now sorted by popularity by default. Additionally, categories are no longer used to group plugins, instead they're shown as labels. JENKINS-61166 , pull 4580, pull 4513, pull 4588, pull 4534, pull 4591, pull 4535, pull 4589, pull 4584
Organize entries on the Manage Jenkins page into categories and show them in a grid. pull 4546
Remove 'auto refresh' feature, including now obsolete auto refresh telemetry capability. pull 4503
Users with extended read permission now get a more read-only looking UI. JENKINS-61202 , pull 4479, Read-only Jenkins Configuration blog post
Allow users with Overall/SystemRead permission to view About Jenkins, Manage Plugins, Global Security Configuration, and System Log. JENKINS-61205 , JENKINS-61201 , JENKINS-61203 , JENKINS-61207 , JENKINS-61455 , JENKINS-61208 , JENKINS-61208
Allow users with Overall/Manage permission to access the System Information, Prepare for Shutdown, and About Jenkins management links. Usage Statistics in Global Configuration is now also configurable by users with that permission. JENKINS-61456 , JENKINS-61453 , JENKINS-61457 , JENKINS-61455

Bug fix

Distinguish between defined (*****) and undefined (N/A) password on read-only configuration forms for users with Overall/SystemRead or Item/ExtendedRead permissions. JENKINS-61812

Enhancement

Use modern system fonts provided by the browser when possible. Changes font size for body copy and headings to improve consistency and legibility. JENKINS-60921
Restyle buttons. Add support for large buttons, hyperlinks styled as buttons and icon-only buttons. JENKINS-61840
Restyle the help icon. pull 4663
Improve styling of alert banners to be more visually appealing and to better match existing user interface components. Alerts now fully cover the navigation bar while they are displayed instead of covering only a portion of the navigation bar. JENKINS-61478
Suppress error stack traces for non-administrator users as core capability. JENKINS-60410

Major bug fix

Prevent a form validation "404 Not Found" error when the resource root URL configuration points at a previously configured resource root URL (regression in 2.222.1). JENKINS-62133

Bug fix

Upgrade to Remoting 4.2.1 to fix an issue with large payloads over WebSockets. Requires a matching agent.jar with remoting 4.2.1 or later. JENKINS-61409 , pull 4601, pull 4596, Remoting 4.2.1 changelog, WebSockets blog post, JEP-222
Update Groovy Init hooks to run after all job configurations are adapted. JENKINS-61694
Fix spacing between error messages in Setup Wizard (regression in 2.222.1). JENKINS-61660
Fix input field hints for tools like the git plugin that search the PATH for their executable (regression in 2.222.1). JENKINS-61711
Remove grey bar below the textarea form elements for read only users. JENKINS-61284
Distinguish between defined (*****) and undefined (N/A) password on read-only configuration forms for users with Overall/SystemRead or Item/ExtendedRead permissions. JENKINS-61812

Enhancement

Users with extended read permission now get a more read-only looking UI. JENKINS-61202 , pull 4479, JENKINS-61321 , pull 4541

Major bug fix

Use the saved global build discarder configuration on restart. JENKINS-61688
Fix proxy form validation when a password is set (regression in 2.222.1). JENKINS-61692

Bug fix

Prevent NullPointerException when hitting Check Now against a custom update center without tool installer metadata. JENKINS-60788
Prevent one occurrence of "Jenkins.instance is missing" during Jenkins restart. pull 4525, JENKINS-60454 , JENKINS-55070 , JENKINS-59992 , JENKINS-61192

Enhancement

Developer: Make h.checkAnyPermission and <l:layout permissions="..."> work on objects that aren't AccessControlled. JENKINS-61465
Developer: Prevent spurious deprecation messages by removing the deprecated findbugs-annotation. JENKINS-61279

Bug fix

Jenkins 2.222.2 was not placed in the artifact repository or on the download site.

Changes since 2.222

Security

Important security fixes. security advisory

Major bug fix

Fix drag & drop for previously saved steps in the job configuration form (regression in 2.217). JENKINS-61429
Winstone 5.9: Fix propagation of the maximum form content size and form content keys number (regression in Jetty 9.4.20 and Jenkins 2.205). pull 4542, JENKINS-60409 , Winstone 5.9 changelog, Jetty 9.4.27 changelog
Winstone 5.9: Fix improper reverse proxy redirects to host due to X-Forwarded-Host and X-Forwarded-Port ordering issue (regression in Jetty 9.4.20 and Jenkins 2.205). pull 4542, JENKINS-60199 , Winstone 5.9 changelog, Jetty 9.4.27 changelog

Enhancement

Security hardening related to request routing and CSRF protection. related upgrade guide
Developer: Listen on loopback interface by default in debug mode. pull 4515

Notable changes since 2.204.6

Major enhancement

Revamp the layout and icons of the header bar and breadcrumbs. Instances with plugins that depend on details of the Jenkins layout (e.g. Simple Theme Plugin) may experience UI/layout problems. A new experimental header color scheme can be enabled by setting the jenkins.ui.refresh system property to true. JENKINS-60920
Add globally configured build discarders that delete old builds not marked as "keep forever" even if there is no, or a less aggressive, per-project build discarder configured, executed periodically and after a build finishes. pull 4368
Move cloud configuration from Configure System into its own configuration form on the Manage Nodes page. pull 4339
Remove Enable Security checkbox in the Global Security configuration. JENKINS-40228
Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. pull 4509
Redesign password fields to prevent password auto-fill except for the login form. Reduce browsers offering to update stored passwords. Revert by setting the system property hudson.Functions.hidingPasswordFields to false. pull 3991
Deprecate the macOS native installer packaging. Jenkins macOS native installer deprecation
Remove old, deprecated, unsupported agent protocols Inbound TCP Agent Protocol/1, Inbound TCP Agent Protocol/2, and Inbound TCP Agent Protocol/3. Update Remoting from 3.36 to 4.2 to remove unsupported protocols and add WebSocket support. JENKINS-60381 , Remoting 3.40 release notes, Remoting 4.0 release notes, Remoting 4.0.1 release notes, Remoting 4.2 release notes
Add experimental WebSocket support. JEP-222, blog post
Extends the current milestones so plugins can update jobs and configuration during Jenkins initialization. Adds initialization milestones: SYSTEM_CONFIG_LOADED, SYSTEM_CONFIG_ADAPTED, JOB_CONFIG_ADAPTED. JENKINS-51856
Introduce a new experimental UI that can be enabled by setting the jenkins.ui.refresh system property to true. Currently it includes a new header color scheme, more changes to be added as a part of the UI/UX revamp. pull 4463, JENKINS-60920 , JEP-223, Jenkins UX SIG
Add a new experimental Overall/Manage permission which allows a user to configure parts of the global Jenkins configuration without having the Overall/Administer permission. This is an experimental feature, disabled by default, that can be enabled by setting the jenkins.security.ManagePermission system property to true. pull 4501, JENKINS-60266 , JEP-223
Add a new experimental Overall/SystemRead permission, which gives (almost) full read access to the Jenkins instance. The permission is disabled by default, install the Extended Read Permission plugin to activate it. pull 4506, JENKINS-12548 , JEP-224, Extended Read Permission plugin

Enhancement

The environment variable WORKSPACE_TMP may now be used from (non-Pipeline) builds to access a temporary directory associated with the build workspace. JENKINS-60634
Deprecate the Overall/RunScripts, Overall/UploadPlugins, and Overall/ConfigureUpdateCenter permissions. Permissions were announced as dangerous and disabled by default in major authorization plugins in 2017. Custom authorization strategy implementations that grant Overall/Administer without implying one or more of these three permissions will no longer work as expected. Configurations that grant any of these permissions to users without Overall/Administer will no longer work as expected. pull 4365, JENKINS-60266 , JEP-223, 2017-04-10 security advisory for Matrix Authorization plugin, 2017-04-10 security advisory for Role-Based Authorization plugin

Major bug fix

Fix NullPointerException when getting a list of runs with a status threshold (regression in 2.202). JENKINS-60884
User is no longer logged out when authenticating another user. JENKINS-59107

Bug fix

Winstone 5.9: Fix support of system logging customization (regression in 2.204.5) pull 4452, JENKINS-57888 , Winstone 5.9 changelog, Jetty 9.4.27 changelog

Security

Important security fixes. security advisory

Enhancement

Security hardening related to request routing and CSRF protection. related upgrade guide

Major bug fix

Fix propagation of the maximum form content size and form content keys number (regression in Jetty 9.4.20 and Jenkins 2.204.3). JENKINS-60409
Fix improper reverse proxy redirects to 127.0.0.1 due to X-Forwarded-Host and X-Forwarded-Port ordering issue (regression in Jetty 9.4.20 and Jenkins 2.204.3). JENKINS-60199

Bug fix

Revert Winstone from 5.8 to 5.3 to resolve embedded Jetty web container regressions in later Winstone versions. High default maximum form size limit and reverse proxy redirection are restored (regressions in 2.204.3). JENKINS-60409 , JENKINS-60199 , Winstone changelog

Major bug fix

Fix a KeyStores with multiple certificates are not supported error from Jetty when passing certain kinds of certificates, such as domain wildcards (regression in 2.204.3). pull 4539, JENKINS-60857 , Winstone 5.8 release notes

Enhancement

Internal: Winstone 5.7: Change the Jetty thread pool name to "Jetty (winstone)" pull 4452, JENKINS-60821 , Winstone 5.7 release notes

Bug fix

If the Jenkins root URL has been configured by scripts prior to running the setup wizard, skip the location configuration panel even if selecting the option to skip creation of an admin user. JENKINS-60750
Prevent inaccurate warnings about missing classes on Java 11 triggered by JavaMelody when Monitoring Plugin is installed. JENKINS-60725
Include details in the system log when a build rotation fails. JENKINS-60716
Fix java version check for AdoptOpenJDK 11. JENKINS-60678
Prevent Jenkins page rendering from being blocked when the update center data parsing is in progress. JENKINS-60625
Winstone 5.7: Fix support of system logging customization (regression in 2.177). pull 4452, JENKINS-57888 , Winstone 5.7 release notes
Fix null pointer exception in Agent API when the agent is offline (e.g. retrieving agent version or OS description). JENKINS-42658

Security

Important security fixes. security advisory

Major bug fix

User is no longer logged out when authenticating another user. JENKINS-59107

Enhancement

Security hardening related to Stapler routing.
Security hardening: Set X-Content-Type-Options to nosniff in REST API responses.

Bug fix

Disable multiple deletion attempts if hudson.Util.maxFileDeletionRetries is zero. JENKINS-60351
Prevent 'zombie' executors on built-in node by removing one-off executors in Computer.removeExecutor. JENKINS-57304
Fix AtomicFileWriter performance issue on CephFS when creating an empty file. JENKINS-60167
Developer: ViewGroupMixIn#getPrimaryView() may return null, and needs to be checked by plugins depending on this version of weekly and beyond. It is an intermediate state until a default view is implemented. JENKINS-60092

Changes since 2.204

Enhancement

Show a tooltip with the full link name when hovering over sidebar links. JENKINS-59508

Bug fix

Prevent faulty subtask contributors from leaving builds running forever. JENKINS-59793
Fix Uninstall column sorting in the Plugin Manager Install pane. JENKINS-59665

Notable changes since 2.190.3

Major enhancement

Prevent calls to Jenkins#save persisting data before we have finished loading the in-memory model. This prevents possible corruption of the main Jenkins configuration. JENKINS-58993
Remove the ability to download update center metadata using the user's browser (deprecated since 2015). Jenkins will no longer inform about available updates without a connection to update sites. We recommend the use of a local mirror of our update sites, or a self-hosted update center like Juseppe in these situations. pull 3970
Allow time zone to be set on a per-user basis. JENKINS-19887
Add an option for a Resource Root URL through which Jenkins will serve user-generated static resources like workspace files or archived artifacts without the need for Content-Security-Policy headers. JENKINS-41891

Enhancement

Stop bundling Maven Plugin, Subversion Plugin, and several other plugins inside the Jenkins war file. In very rare cases, this could result in problems when attempting to install plugins compatible with Jenkins before 1.310. The Jenkins project is currently not publishing any such plugins. pull 4040
Deprecate the macOS native installer in favor of Homebrew. macOS Native Installer Deprecation blog post
Remove 100 character length limitation of build description in build history widget. JENKINS-19760 , JENKINS-31209
Update Remoting from 3.33 to 3.36. Adds a new connection mode for inbound TCP agents. Update minimum required remoting version to 3.14. Adds command line options "-help" and "-version". Remoting 3.36 release notes, pull 4193, Remoting 3.35 release notes, pull 4208, pull 4186, JENKINS-53461 , pull 4165, Remoting 3.34 release notes, Remoting connection steps reduced

Bug fix

Revert changes in forms submission in Jenkins classic UI with Firefox have caused a regression on forms with "file" inputs. These were made to anticipate a bugfix in Firefox which has been backed out since. (regression in 2.173) JENKINS-58296 , JENKINS-53462 , Firefox issue 1370630

Bug fix

Robustness: Do not allow users to resubmit requests using POST on URLs requiring a form submission, as that will fail anyway. JENKINS-59514
The lastCompletedBuild permalink was not being cached in the …/builds/permalinks file. JENKINS-56809
Fix labels to Atom feed links. JENKINS-48375
Revert changes in forms submission in Jenkins classic UI with Firefox. Changes caused a regression on forms with "file" inputs. These were made to anticipate a bugfix in Firefox which has been backed out since. (regression in 2.164.3) JENKINS-58296 , JENKINS-53462 , Firefox issue 1370630

Bug fix

URLs of some projects with emojis in their name were inaccessible. JENKINS-59406
Increase client-side keep-alive ping frequency on the HTTP-based CLI to prevent timeouts. JENKINS-59267
Internal: hudson.util.ProcessTree.OSProcess#getEnvironmentVariables returned null when an error occurred even though it shouldn't. JENKINS-59580

Changes since 2.190

Security

Important security fixes. 2019-09-25 security advisory, 2019-08-28 security advisory

Bug fix

Fix missing absolute URL in the RSS / Atom feeds. (regression in 2.190) JENKINS-59167

Major bug fix

Jenkins UI broke when a slow trigger administrative warning would be shown. (regression in 2.189) JENKINS-58938

Notable changes since 2.176.4

Major enhancement

Jenkins no longer creates symbolic links inside project or build directories. The Build Symlink plugin may be installed to restore this functionality if desired. URLs such as /job/…/lastStableBuild/ are not affected, only tools which directly access the $JENKINS_HOME filesystem. JENKINS-37862
Remove Trilead SSH library from Jenkins core and make it available in a new detached plugin. JENKINS-43610

Bug fix

Add support of emojis and other non-UTF-8 characters in job names. 🎉 JENKINS-23349

Enhancement

Update Windows Agent Installer from 1.10.0 to 1.11, enabling TLS 1.2 on agent downloads when running with .NET 4.6 or newer. JENKINS-51577 , full changelog
Update Winstone-Jetty from 5.2 to 5.3 to update Jetty to 9.4.18. pull 4016, full changelog, Jetty 9.4.18 changelog, Jetty 9.4.17 changelog, Jetty 9.4.16 changelog
Update JNA from 4.5.2 to 5.3.1 to fix issue with shared library loading on AIX when using OpenJDK. JENKINS-57515
Update Remoting to 3.33. JENKINS-57959 , JENKINS-50095 , JENKINS-57713 , full changelog
Support setting excludes and case sensitivity in the fingerprint() build step in Pipeline and other job types. documentation, pull 3915
Improve Configuration-as-Code compatibility of ListView. JENKINS-57121
Stop using the name argument in the install-plugin CLI command. pull 4123
Remove obsolete session cookies when logging out, preventing errors related to headers being too large. JENKINS-25046
Add support for IPv6 addresses in the Jenkins URL configuration. JENKINS-58041
Allow distinguishing between new projects, disabled projects, and those with aborted builds through differently shaded build balls. pull 3997
Add a warning when cron trigger spends a long time in its execution. JENKINS-54854
Batch up plugin installations in setup wizard to improve performance. pull 4124
The default interval for node monitors (e.g. free disk space) can now be changed by setting the system property hudson.node_monitors.AbstractNodeMonitorDescriptor.periodMinutes. pull 4105, Jenkins features controlled by system properties

Security

Security fixes. security advisory

Security

Important security fixes. security advisory

Bug fix

The plugin manager UI no longer prevents disabling a plugin when other plugins only have optional dependencies to it. JENKINS-33843
Fix performance issue when using "Remember me". (regression in 2.160) JENKINS-56243
Do not throw exception when testing proxy configuration. (regression in 2.168) JENKINS-57383
Prevent occasional IllegalStateException on Jenkins restart and invalidate the user session. JENKINS-55945

Security

Important security fixes. security advisory

Bug fix

A thread pool used to wait for external processes to complete could leak class loaders. JENKINS-57725
Make sure detached plugins (plugins whose functionality used to be part of Jenkins itself) are installed upon Jenkins startup when needed as implied dependencies of other plugins which were already present. This simplifies compatibility for specialized installation scenarios not using the update center, such as when Jenkins is run from a Docker image prepackaged with some plugins. JENKINS-57528
Update WinP from 1.27 to 1.28 to fix problems with a missing DLL and flickering console window in the Windows graceful process shutdown logic. JENKINS-57477 , full changelog

Enhancement

Replace some exception stack traces related to agent channels with simpler messages. JENKINS-57993

Changes since 2.176

Bug fix

Restore Chinese localized resources used by the setup wizard. JENKINS-57412
Robustness: Do not put agent offline for runtime exceptions in ComputerListener#onOnline(). JENKINS-57111

Notable changes since 2.164.3

Major enhancement

Support for the Remoting mode of the CLI (-remoting option) has been removed. pull 3838, announcement blog post
Remove misleading nonStoredPasswordParam symbol for password parameter definitions, since it's actually stored encrypted. JENKINS-56776
Remove built-in support for CCtray (cc.xml) files. To restore this feature, install the CCtray XML Plugin. JENKINS-40750

Enhancement

Add stop-job CLI command which allows aborting builds. JENKINS-11888
Add support for turning off a log recorder in the logger configuration. JENKINS-56200
Add the run parameter filter value to REST API responses. JENKINS-56554
Update status icon of a build when the build is finished. JENKINS-16750
Remove misleading references to Java Web Start and JNLP from GUI surrounding inbound Jenkins agents. pull 3998
Inform administrators about potentially unsafe permissions setup involving builds running as the virtual SYSTEM user. JENKINS-24513
Add a log message to build logs when builds run with the virtual SYSTEM authentication. pull 3908
Migrate all Chinese localization resources into Localization: Chinese (Simplified) plugin. pull 4008
Adjust stream flushing behavior for code running remotely on agents for better performance. This may lead to loss of messages for plugins which print to a build log from the agent machine but do not flush their output. Use -Dhudson.util.StreamTaskListener.AUTO_FLUSH=true to restore the previous behavior for freestyle builds. Note that Pipeline builds always expect remote flush. pull 3961
Update Winstone from 5.1 to 5.2 to make HTTPS cipher exclusions configurable. JENKINS-56659 , JENKINS-56591 , full changelog
Developer: Update Stapler from 1.256 to 1.257 to add support for loading localized webapp resources from any plugin. Add jenkins.PluginLocaleDrivenResourceProvider interface for plugins to participate in localized resource lookup. JEP-216, full changelog
Developer: Update Localizer library from 1.24 to 1.26 allowing plugins to override the lookup for localized resource files. pull 3896, JEP-216, full changelog
Developer: Add Jelly UI component f:secretTextarea for multi-line secrets analogous to f:password for single-line. pull 3967, Storing Secrets in Jenkins
Developer: SystemProperties may now be used from agent-side code. See SystemProperties#allowOnAgent. pull 3961

Bug fix

Remove Mailer related localized strings from core. Make sure you use Mailer Plugin 1.23. JENKINS-55292
Do not offer a workspace lease to a new build if it is already in use by a (Pipeline) build running across an agent reconnection. JENKINS-50504

Bug fix

Corrupted console notes could cause an uninformative NegativeArraySizeException to be thrown from ConsoleNote#readFrom and build log display to be broken. JENKINS-45661
The setup wizard did not properly escape passwords, resulting in errors with certain special characters. JENKINS-56856
Make form submit buttons on the Jenkins classic UI compatible with potentially upcoming Firefox bug fix. JENKINS-53462 , Firefox bug 1370630
Properly flush output from the Maven console annotator. JENKINS-56995
Make Debian/Ubuntu launcher script work with Java 11. JENKINS-57096

Enhancement

Re-enable Stapler request dispatching telemetry. JENKINS-57167

Security

Security fixes. security advisory

Bug fix

Workspace and artifacts browsing did not work on Windows Server 2016 with Microsoft Docker. (regression in 2.150.2) JENKINS-56114
Prevent NullPointerException when discarding unreadable fingerprint data. JENKINS-43218

Changes since 2.164

No notable changes in this release.

Notable changes since 2.150.3

Major enhancement

Java 11 is now fully supported. Multiple improvements for running Jenkins on Java 11 since 2.150.x, including support for plugins declaring a minimum Java version in their metadata and refusing to load incompatible plugins, and installation of a new JAXB plugin when running on Java 11 to allow use of JAXB APIs from plugins. announcement blog post, running on Java 11, upgrading to Java 11, JENKINS-52012 , JENKINS-52282 , JENKINS-55076 , JENKINS-55048 , JENKINS-55980 , JENKINS-55681 , JENKINS-52285

Enhancement

The list-jobs no longer lists items recursively when listing a specific folder. JENKINS-48220
Add a new CLI command disable-plugin to disable one ore more installed plugins and optionally restart Jenkins. JENKINS-27177
Update Trilead SSH library to add support for OpenSSH keys with AES256-CTR encryption. JENKINS-47603 , JENKINS-47458 , JENKINS-55133 , JENKINS-53653
Add support for the ed25519 key algorithm in Jenkins CLI. JENKINS-45318
Reduce the performance impact of the SECURITY-904 fix when downloading artifacts or workspaces as ZIP file. JENKINS-55050
Add new category Languages to the plugin wizard, which automatically installs available localization plugins based on browser language. pull 3626
Update Windows Service Wrapper from 2.1.2 to 2.2.0 and Windows Agent Installer from 1.9.3 to 1.10.0 to support disabling, renaming and archiving service logs. pull 3854, Windows Service Wrapper changelog, Windows Agent Installer Module changelog
Developer: Login and signup pages redesigned in 2.129 now can receive style contributions (footer view for SimplePageDecorator) from multiple plugins. JENKINS-54325

Bug fix

Update SSHD Module from 2.5 to 2.6 to apply a proper Apache Mina idle timeout value when a custom value was set using the org.jenkinsci.main.modules.sshd.SSHD.idle-timeout system property. JENKINS-55978 , full changelog

Bug fix

Improve robustness of console annotators such as the Timestamper plugin in conjunction with certain Pipeline steps such as git on an agent with an old agent.jar. JENKINS-55257
User account creation by administrators did not show error messages when it failed. (regression in 2.129 and 2.138.1) JENKINS-52869

Security

Important security fixes. security advisory

Enhancement

Invalidate sessions and CLI authentication caches when changing the user password in the Jenkins user database.
Add support for killing child processes on AIX. JENKINS-16867

Changes since 2.150

Security

Important security fixes. security advisory

Bug fix

Revert compatibility fix for future releases of Firefox due to regressions it caused since 2.148. JENKINS-54261 , JENKINS-54333 , JENKINS-54570
Prevent Stream is closed error in case a CLI command finishes before the input is entirely read. JENKINS-54310
Avoid Premature EOF error when using the shutdown CLI command. JENKINS-49196
Do not cache CSS/JS resource files for console annotations like Timestamper Plugin across Jenkins restarts. JENKINS-38719

Notable changes since 2.138.4

Major enhancement

Numerous fixes and improvements to better support running Jenkins on Java 11. JENKINS-46523 , JENKINS-46725 , JENKINS-51805 , JENKINS-52019 , JENKINS-52024 , JENKINS-53693 , JENKINS-53710 , JENKINS-53929 , Parent POM 1.49 changelog, Winstone-Jetty 5.1 changelog, Groovy 2.4.12 changelog, Jetty 9.4.12 changelog
Migrate most Simplified Chinese translations into Localization: Chinese (Simplified) Plugin. pull 3667

Enhancement

Allow use of the console command with Job/Read permission. JENKINS-52181
Wait up to two minutes for process termination before killing it (typically when aborting a build). JENKINS-17116
Reduce logging level of restart and shutdown related notifications from SEVERE to INFO. JENKINS-53282
New JENKINS_USER_ID and JENKINS_API_TOKEN environment variables can be used to configure the CLI authentication. JENKINS-53792
Do not submit telemetry if there's no relevant data. JENKINS-54137
Use per-trial correlation IDs for telemetry submissions. JENKINS-54136
Developer: Add support for the @PostConstruct lifecycle method annotation. JENKINS-52818
Developer: Add interface PersistentDescriptor that allows implementing Descriptors to skip explicit calls to load(). JENKINS-52818
Developer: Introduce getPlatform() and setPlatform() methods in hudson.EnvVars. JENKINS-53721
Developer: Introduce new hudson.Util#fixNull(value, defaultValue) method. pull 3656
Developer: Add overridable Queue.Task#getAffinityKey() to allow consistent hashing for Pipeline builds in the future. JENKINS-36547

Bug fix

Update Remoting from 3.26 to 3.27 to eliminate a potential deadlock. full changelog, JENKINS-53569
Developer: ConsoleAnnotatorFactory mishandled its type parameter, effectively forcing all implementations to use Object or raw types. pull 3662

Security

Important security fixes. security advisory

Bug fix

The initial visibility of nested groups of radio buttons did not accurately reflect the current values. JENKINS-48516
Improve robustness when search items don't specify a display name. JENKINS-50795

Enhancement

Update Stapler from 1.254.2 to 1.255 to integrate a fix related to StaplerProxy#getTarget() return value handling. pull 3690, stapler/stapler#149
Add telemetry trial related to Stapler request dispatching. JENKINS-54029

Security

Important security fixes. security advisory

Major enhancement

Security hardening: Escape variables in Jelly views by default. announcement blog post, LTS upgrade guide, list of affected plugins

Major bug fix

Update Winstone-Jetty from 4.4 to 5.0 to fix HTTP/2 support and threading problems on hosts with 30+ cores. JENKINS-53239 , JENKINS-52804 , JENKINS-51136 , JENKINS-52358

Enhancement

Security hardening related to Stapler routing. SECURITY-595 in the 2018-12-05 security advisory
Security hardening related to HTTP verb restrictions for web methods.
Extend anonymous usage statistics with information about applied security fix escape hatches. JEP-214

Bug fix

Fix a thread safety issue when creating multiple nodes in parallel. JENKINS-53401
Nested f:repeatable/f:repeatableProperty form elements inherited minimum when they shouldn't. JENKINS-37599

Changes since 2.138

Bug fix

A configured quiet period was interpreted as milliseconds, instead of seconds. (regression in 2.82) JENKINS-48770

Notable changes since 2.121.3

Major enhancement

Redesigned login, signup, and Jenkins is (re)starting pages. Existing page decorators like Simple Theme Plugin will no longer work with these redesigned pages. JENKINS-50447 , announcement blog post
Replace single per-user API token with new system of multiple, revocable, unrecoverable API tokens with usage tracking. JENKINS-32442 , JENKINS-32776 , blog post
The deprecated Jenkins CLI Protocol versions 1 and 2, and Java Web Start Agent Protocol versions 1, 2, and 3 have been disabled. If you still use these protocols (e.g. remoting-based CLI, or old slave.jars on agents), you need to re-enable these protocols after upgrade, or upgrade the clients. The same recommendations as in The 2.121.x upgrade guide for remoting changes apply here. JENKINS-48480
Check SHA-512 or SHA-256 checksums of update site and tool installer metadata and core and plugin downloads if the update site provides them. pull 3356
Optional extensions are now loaded without requiring to restart Jenkins after installing an optional dependency. JENKINS-50336

Enhancement

Upgrade Winstone from 4.2 to 4.4 to update Jetty from 9.4.8.v20171121 to 9.4.11.v20180605, adding an option to enable JMX when running Jenkins using java -jar jenkins.war. pull 3422, pull 3497, full changelog, Jetty 9.4.11 changelog, Jetty 9.4.10 changelog, Jetty 9.4.9 changelog, JMX Documentation for Jetty, full list of options
Upgrade Remoting from 3.21.1 to 3.25 to have agents check availability of the controller's TCP Agent Listener port when connecting over TCP. JENKINS-51818 , JENKINS-52204 , Remoting 3.22 changelog
Upgrade Bytecode Compatibility Transformer from 1.8 to 2.0-beta-2, upgrading ASM from 5.0.1 to 6.2 to improve support of Java 9+ runtimes. JENKINS-51837 , supported Java versions
Update Executable WAR from 1.39 to 1.41 to allow running Jenkins with incompatible (too new) Java versions by setting the --enable-future-java flag. JENKINS-51155 , JENKINS-51994 , JENKINS-46622 , Executable WAR 1.40 changelog, Executable WAR 1.41 changelog, supported Java versions
Update instance identity module from 2.1 to 2.2 to improve Java 11 compatibility. JENKINS-51965 , full changelog
Update JNA from 4.2.1 to 4.5.2 to add support for s390x, update GNU C minimal requirement to 2.7 on Unix platforms. JENKINS-52771
Add a new CLI command enable-plugin to enable one or more installed plugins and optionally restart Jenkins. JENKINS-52822
Add support for Zip files larger than 4 GB (Zip64). JENKINS-52356
Add modification timestamp to files in directory browser views such as archived artifacts and workspaces. JENKINS-20998
Export path to agent file system root directory in remote API. pull 3206
Jenkins remote API: Export fingerprints for builds which do not derive from AbstractBuild, like Pipeline builds. JENKINS-51667
Some deserialization rejections are now logged on WARNING log level, instead of only on FINER. JENKINS-51666
Developer: Introduce SimplePageDecorator extension point, which allows decorating the redesigned login page. announcement blog post
Internal: Update parent POM. Jenkins now requires Maven 3.5.4 or newer to build. pull 3567
Internal: Various improvements related to incremental Maven releases. JENKINS-51187 , JENKINS-51247 , pull 3430, JEP-305

Bug fix

Instances of some item types could not be renamed. (regression in 2.110) JENKINS-52164
Don't fail to archive artifacts when attributes cannot be preserved, instead log a message and proceed without preserving attributes. (regression in 2.120) JENKINS-52325
Some types of builds, like pipelines, would sometimes run concurrently even when that was disabled. JENKINS-41127

Security

Security fixes. security advisory

Enhancement

Security hardening related to Stapler routing. SECURITY-595 in the 2018-12-05 security advisory
Robustness: Don't break queue processing when the configured queue sorter throws exceptions. JENKINS-52159
Allow java.time.Ser for use in XStream (XML serialization) and Remoting (agent communication). JENKINS-52534
Developer: Remove hudson.FilePath#copyFromRemotely(URL) Beta API. JENKINS-52417

Bug fix

Fix a potential deadlock between queue maintenance and asynchronous execution. JENKINS-46248
Security hardening: Prevent files in tar archives from being written to a path outside the destination directory. JENKINS-51777
Dynamically loaded plugins now have any PeriodicWork/AperiodicWork extensions scheduled. JENKINS-28683

Security

Important security fixes. security advisory

Enhancement

Update Remoting from 3.20 to 3.21 to apply logging enhancements and better no_proxy support. JENKINS-51223 , JENKINS-50965 , JENKINS-51551 , Remoting 3.21 changelog
Improve diagnostics of corrupted plugin archives during plugin dynamic loading. JENKINS-51608
Robustness: A buggy ComputerListener#onConfigurationChange implementation should not block Jenkins startup. JENKINS-50217
Diagnostics: Log stack traces in JEP-200 rejection messages when jenkins.security.ClassFilterImpl logging level is FINE or above. JENKINS-51355
Improve Jenkins root URL validation. JENKINS-51158
Do not remove workspaces for projects with builds in progress. JENKINS-27329
Developer: ComputerLauncher implementations can now set channels with a custom CommandTransport implementation. JENKINS-51541
Developer/Internal: Remove use of a Guava method deleted in later versions, which could cause problems for plugins running functional tests. JENKINS-51779

Bug fix

If using the Artifact Manager on S3 plugin with the (non-default) option to delete artifacts, they were not deleted when the entire build was deleted. JENKINS-51819
Don't monitor response time on offline agents. JENKINS-20272
Copying Run parameters did not work as expected as RunParameterDefinition#copyWithDefaultValue called the wrong constructor. JENKINS-51650
Restore implied dependency on JDK Tool Plugin from Apache HttpComponents Client 4 API Plugin to fix dependency problems. JENKINS-51483
Actions created from a TransientActionFactory that got attached to an item in the queue are no longer persisted, which could previously lead to duplicate actions shown for builds. JENKINS-51584
Prevent unhandled ClassCastException when loading fingerprints from corrupted files. JENKINS-51179
Do not duplicate caller stack trace when FilePath#act fails. JENKINS-51082
Fix behaviour of Advanced button when a section element is nested inside. JENKINS-14632
Developer API: StreamTaskListener#getCharset() now returns the default charset when it is not configured. JENKINS-51971
Developer API: Prevent NullPointerException in SlaveComputer#setChannel(Channel,OutputStream,Channel.Listener) with null OutputStream. JENKINS-51955

Changes since 2.121

Enhancement

Faster list rendering of Plugin Manager » Available. JENKINS-51205

Notable changes since 2.107.3

Major enhancement

Install from java.sun.com installation method for JDK tools has been moved to a new JDK Tool Plugin. JENKINS-22367
It is no longer possible to rename jobs from their configuration page. Jobs now have a link in the side panel titled "Rename" that links to a page specifically dedicated to renaming jobs. JENKINS-22936
The Job/Build permission no longer implies the Job/Cancel permission. The latter needs to be granted explicitly to users who previously got it via this relationship. JENKINS-14713
Update Remoting from 3.17 to 3.20 in order to apply various performance and diagnosability improvements, such as logging warnings when anonymous classes are serialized over a Remoting channel, and allowing Jenkins core to always deserialize exceptions even if they're not allowed. To benefit from the latter improvement, Remoting needs to be updated on the agent side as well. JENKINS-49415 , JENKINS-49472 , JENKINS-48561 , JENKINS-49994 , JENKINS-49618 , full changelog
Developer: JEP-202: Extend VirtualFile API to streamline external artifact storage. API additions are marked beta and may change at any time. JEP-202, pull 3302
Developer: Subclasses of AbstractItem can implement AbstractItem#isNameEditable and return true to get automatic support for renames. Subclasses are also able to dynamically validate renames by implementing AbstractItem#checkRename. JENKINS-22936

Major bug fix

Fix issue preventing process killing vetoes being effective on agents. JENKINS-9104 , ProcessKillingVeto extension point implementations

Enhancement

Pipeline builds could not be started if the Authorize Project plugin was configured to associate the build with a user to whom the authorization strategy was configured to deny Agent/Build permission on the built-in node. JENKINS-46652
archiveArtifacts in a Pipeline failed to throw a normal exception when there were no matches. JENKINS-47142
Allow use of lists of options as provided by the Pipeline snippet generator for choice parameters. JENKINS-26143
Default Crumb Issuer proxy compatibility can be enabled on first startup by setting the system property jenkins.model.Jenkins.crumbIssuerProxyCompatibility to true on startup. JENKINS-50767 , Jenkins features controlled by system properties
Introduce hudson.triggers.SafeTimerTask.logsTargetDir system property to write logs usually written to $JENKINS_HOME/logs to another location. JENKINS-50291
Remove the options to define custom Build Record Root Directory and Workspace Root Directory on the Configure System form to prevent unexpected failures during runtime. Instead, these locations can now be customized using system properties on startup. JENKINS-50164 , Jenkins features controlled by system properties
Use case-insensitive autocompletion for item selection dialogs if the current user prefers case-insensitive search. JENKINS-38812
Better autocompletion for loggers supporting multiple tokens and proposing useful parent loggers. pull 3345
Show more entries in the search results dropdown and search results page. JENKINS-47020
Ensure as much as possible that the Jenkins root URL is defined by adding a new setup wizard page and an administrative monitor. JENKINS-31661
Add agent symbol for a permanent agent in Structs Plugin based configuration. JENKINS-49661
Issue warnings to the system log when attempts are made to use classes with unpredictable names and serial forms (such as anonymous classes) in Remoting or XStream (de)serialization. JENKINS-49795
Update Winstone from 4.1.2 to 4.2 to update Jetty from 9.4.5 to 9.4.8 for various bugfixes and improvements. full changelog, Jetty 9.4.6 changelog, Jetty 9.4.7 changelog, Jetty 9.4.8 changelog
Internal: Choose more mnemonic artifactIds for modules not consumed externally. pull 3311

Bug fix

Archiving artifacts now preserves file permissions and last modification time. JENKINS-13128
Prevent some cases of linkage errors relating to Servlet classes when code is run on an agent. JENKINS-46386
Make the logic for adding nodes atomic, so that if a newly added node fails to be persisted it will not exist in a partly-initialized state. JENKINS-50599
Update WinP from 1.25 to 1.26 to fix loading of WinP libraries on Windows inside Weblogic web container. JENKINS-48347 , full changelog

Security

Important security fixes. security advisory

Enhancement

Allow java.util.EnumMap and org.jruby.RubyNil for use in XStream (XML serialization) and Remoting (agent communication). JENKINS-50939 , JENKINS-50616
Internal: Add new update center root CA certificate. Help desk issue 1236

Bug fix

Don't log null pointer exceptions on some forms with validation button. (regression in 2.107.2) JENKINS-50748
Allow users without Overall/Read access to use the who-am-i and logout commands. JENKINS-50324
Fix a race condition in the Setup Wizard that could lead to it being skipped on the first startup when groovy scripts or init scripts are pre-installed. JENKINS-49401
In rare configurations, agents tried to load unloadable classes from the controller, resulting in ClassNotFoundException: javax.servlet.ServletContextListener on agents. JENKINS-46386
Make Cancel Shutdown link in side panel work without requiring the page to be reloaded. JENKINS-44402

Security

Security fixes. security advisory

Major bug fix

Display estimated remaining time again for Pipeline jobs. (regression in 2.89.4) JENKINS-48821

Enhancement

Update Apache Mina SSHD Core from 1.6.0 to 1.7.0 in CLI client. JENKINS-49565 , changelog
Update Executable War from 1.37 to 1.38 to show an error when an attempt is made to run Jenkins on Java 9. JENKINS-49737 , full changelog
Always show the built-in node in the executors widget, even when it is offline. JENKINS-34712
Periodically persist the build queue so it can be restored on abnormal process termination. JENKINS-30909
Reduce memory footprint of jenkins.model.lazy.AbstractLazyLoadRunMap#search in descending order. JENKINS-50056
Add ConcurrentLinkedQueue to white-listed classes for use in XStream (XML serialization) and Remoting (agent communication). JENKINS-49788

Bug fix

JEP-200: Allow org.apache.tools.ant.Location deserialization to prevent exception when listing agent files in non-existent directory or invalid filter. JENKINS-50237
Clean up the build.xml files of parameterized projects that contained unnecessary serialized data. JENKINS-49795
Restore serialVersionUID of AbstractTaskListener. (regression in 2.91) JENKINS-50124
Prevent FileNotFoundException in hudson.Util#loadFile in case of race condition. JENKINS-49971
Make proxy views work inside folders. JENKINS-49642
Upgrade Winstone from 4.1.0 to 4.1.2 to prevent User session memory leak by setting the default idle session eviction timeout to 30 minutes. JENKINS-49596 , full changelog
Fix translation of 'sign up' in Dutch, used to be 'sign in'. JENKINS-49498
Improve robustness in case a build with parameters was stored with a null list of parameters. JENKINS-39495
Prevent NullPointerException in AbstractProject#checkout when the agent disconnects during a build. JENKINS-29470

Changes since 2.107

Bug fix

Make JEP-200 serialization allowlist more reliable on old versions of Tomcat 8. JENKINS-49543
Don't show input validation errors in optional numeric form fields. (regression in 2.105) JENKINS-49387 , JENKINS-49520

Notable changes since 2.89.4

Major enhancement

Switch Remoting/XStream denylist to an allowlist. JENKINS-47736 , upgrade guidelines for admins and plugin maintainers, list of plugins known to be impacted
Use Java NIO library instead of native code to create and detect symbolic links and Windows junctions to improve compatibility and robustness. JENKINS-36088 , JENKINS-39179
Update Remoting from 3.14 to 3.17 to integrate multiple fixes and improvements. full changelog, JENKINS-37566 , JENKINS-37670 , JENKINS-38696 , JENKINS-46724 , JENKINS-47965 , JENKINS-48055 , JENKINS-48130 , JENKINS-48133 , JENKINS-48309 , JENKINS-47736 , JENKINS-48686 , JENKINS-27035 , JENKINS-49027

Enhancement

Jenkins now creates XML 1.1 files to be more accepting of unusual contents. JENKINS-48463
Use Java NIO to read and write Unix file permissions by default. The previous behavior can be restored by setting the Java system property hudson.Util.useNativeChmodAndMode to true. JENKINS-36088 , Jenkins features controlled by system properties
Improve robustness and error handling of various file operations by switching to NIO. JENKINS-47324 , JENKINS-48405
Remove support for unbounded number of SCM polling threads. Previously, the default was infinite and could be set to between 10 and 100. Existing installations with unbounded SCM polling threads will now use the default of 10, and it is no longer possible to use a value outside of this range. pull 3258
Do not require CSRF crumb to be provided when the request is authenticated using API token. JENKINS-22474
Introduce new hudson.lifecycle.ExitLifecycle to exit instead of restart. JENKINS-47043 , Jenkins features controlled by system properties
Upgrade Executable War from 1.36 to 1.37 to allow supplying jenkins.war command-line arguments via standard input using the --paramsFromStdIn parameter. pull 3223, documentation
Update SSHD Module 2.0 to 2.4 to update Apache Mina SSHD Core from 1.6.0 to 1.7.0, and fire authentication events in SecurityListeners when a user connects using SSH. pull 3278, pull 3111, SSHD module changelog
Export assignedLabels for agents and labelExpression for applicable job types in remote API. JENKINS-25286
Re-style the Manage Jenkins page, including administrative monitors. JENKINS-43786 , blog post
Define a minimum required version of the Remoting library (agent communication) and print warnings when an older version is connecting. pull 3250
When Jenkins fails to load plugins, show failures that users need to take action on separate from those due to other plugins failing to load. pull 3256
Developer: Jenkins#getInstance() is now deprecated as its semantics have been a source of confusion for some time. Use #get() in typical cases and Jenkins#getInstanceOrNull() in rare cases (see Javadoc). JENKINS-48638
Developer: Deprecate the ambiguous User#getUser(String) in favor of the User#getById() or the new User#getOrCreateByIdOrFullName() methods. JENKINS-47718
Developer: Capture more authentication-related events in SecurityListener. JENKINS-27027
Developer: Deprecate hudson.util.Service in favor of Java's ServiceLoader. pull 3191

Major bug fix

Updating Jenkins jobs and views by XML left fields at their old value if not defined in the new XML. JENKINS-21017

Bug fix

Fix HTTP 404 error when clicking on New View sidebar link from another view. JENKINS-48447
Upgrade Executable War from 1.36 to 1.37 to prevent multiple copies of winstone-*.jar in the temp folder from using up disk space needlessly. JENKINS-22088
Update to task reactor version 1.5 to prevent hanging of Jenkins on startup/reload when an initialization task throws an unhandled exception. JENKINS-48725 , full changelog

Security

Important security fixes. security advisory

Enhancement

Security hardening to prevent problems like SECURITY-624 in the future. 2017-12-05 security advisory, Ant Plugin fix in 2018-01-22 security advisory
Reduce memory usage when scheduling pipelines on big clusters. JENKINS-48348
Improve UI performance with long list of running builds by caching the estimated duration. JENKINS-48350

Bug fix

Update Stapler from 1.253 to 1.254 to make the form that shows up when a URL requiring POST is accessed using a different HTTP verb work with CSRF protection enabled. JENKINS-34254 , Stapler changelog
Do not downgrade detached plugins when upgrading Jenkins while its previous version was not properly recorded. JENKINS-48899
The setup wizard is now resumed upon restart if it hasn't been completed yet, instead of showing the regular login screen. (regression in 2.81) JENKINS-47439

Major bug fix

Make sure detached plugins (plugins whose functionality used to be part of Jenkins itself) are installed when upgrading Jenkins past the version at which the plugin was detached. JENKINS-48365

Bug fix

Make the system property hudson.consoleTailKB actually work. JENKINS-48593 , Jenkins features controlled by system properties
Fix a performance regression in Jenkins 2.86 due to lock contention in ExtensionList. JENKINS-48505
Prevent setup wizard from hanging when the two provided passwords differ, instead show a validation error. JENKINS-48080
Prevent concurrent installation of Maven on the same node to prevent problems. JENKINS-34138
Prevent potential NullPointerException when migrating the default "All View" name for a "My Views" user property. JENKINS-48157

Enhancement

Cache permission names, allowing Jenkins to recover faster after "stop-the-world" Java GC pauses. JENKINS-48349
Improve user lookup performance, for example from Git changelog calculation. JENKINS-47429

Security

Security fixes. security advisory, announcement blog post

Changes since 2.89

Major bug fix

Recover from legacy user configuration folders with $ characters that are not part of hex escape sequences. (regression in 2.89) JENKINS-47909
Fix Download from java.sun.com installation method for JDK for downloads requiring an Oracle login after change to the Oracle site. JENKINS-47448

Enhancement

Update Remoting from 3.13 to 3.14 in order to apply various performance and stability improvements. full changelog, JENKINS-37566 , JENKINS-45294 , JENKINS-47425 , JENKINS-47901 , JENKINS-47942
Update Windows Agent Installer from 1.9.1 to 1.9.2: Do not try to update jenkins-slave.exe on Unix agents when they connect. full changelog, JENKINS-47015

Bug fix

Prevent caching of captcha on the login form. JENKINS-43852

Notable changes since 2.73.3

Major enhancement

Launch agent via execution of command on the master has been moved to a new Command Launcher plugin and integrated with the Script Security plugin. JENKINS-47393 , Command Launcher plugin site entry, related security advisory
Upgrade Stapler library from 1.250 to 1.253. pull 2956, Stapler changelog
Update Remoting to improve stability and diagnosability. JENKINS-37567 , JENKINS-43985 , JENKINS-45522 , JENKINS-47132 , JENKINS-38711 , full changelog

Major bug fix

Prevent core or plugin code from mistakenly attempting to serialize jobs, builds, and users except in their intended top-level XML file positions, preventing a class of serious deserialization-related errors. JENKINS-45892
Developer: Fix TimeDuration time unit handling and its incorrect usage. TimeDuration uses milliseconds as the default unit. It was supposed to parse sec or secs suffix to interpret the number as seconds, but that never worked. JENKINS-44052
Stapler 1.252: Prevent file handle leak in LargeText#GzipAwareSession. JENKINS-45903

Bug fix

Stapler 1.252: Restore ability to attach views to interfaces. (regression in 2.46) JENKINS-43715

Enhancement

Stapler 1.253: Servlet 3.1 support, improved Blue Ocean performance and changes of interest to plugin developers. JENKINS-37062 , Stapler changelog
Disable obsolete JNLP, JNLP2, and CLI protocols on new Jenkins installations during Setup Wizard. JENKINS-45841 , announcement blog post
Restart agent communication related threads on both controller and agents when encountering an unhandled exception, if possible, to improve stability. JENKINS-38711
Default the built-in Jenkins Update Center URL to https://updates.jenkins.io instead of obsolete HTTP endpoint. This requires a JRE compatible with Let's Encrypt, e.g. Oracle JRE 8u101. pull 2996
Moved Jenkins agent runtime to agent.jar file name, and deprecate (but still support) use of legacy slave.jar. Introduce the AGENTJAR_URL environment variable as replacement for SLAVEJAR_URL. JENKINS-35451
Improve error reporting when failing to archive artifacts. pull 2976
Enable cc.xml to export jobs in folders recursively when accessed with a query parameter named recursive. JENKINS-36282
Add new administrative monitor warning users about disabled CSRF protection. JENKINS-47372
Commons Codec library upgraded from 1.8 to 1.9. pull 3033
Agents JVM must be 1.8+ and a clear message is shown in connection logs if it is not. JENKINS-44851
Add sidebar link to create new view. JENKINS-6290

Security

Security fixes. security advisory

Major bug fix

Fix Download from java.sun.com installation method for JDK for downloads requiring an Oracle login after change to the Oracle site. JENKINS-47448

Bug fix

Fix potential HTTP 414 error in form validation of long Batch/Shell tool installer scripts. JENKINS-47058
Properly display agent launch arguments when using nested launch methods. JENKINS-47056
Disconnect node on ping timeout instead of leaving the channel half open. JENKINS-46680
Avoid a possible server-side timeout on long-running CLI commands using plain HTTP mode by sending periodic pings from the client. JENKINS-46659

Security

Important security fixes. security advisory

Major bug fix

Fix random failures to use passphrase-protected ed25519 SSH private keys. (regression in 2.73) JENKINS-46754
Update Remoting library from 3.10 to 3.10.2 to fix regression in Jenkins 2.68 when using non-writable home directories. JENKINS-45755 , full changelog, issue description in 2.73.1 upgrade guide

Major enhancement

Update Remoting from 3.10 to 3.10.2 to improve stability and diagnosability. JENKINS-45023 , JENKINS-45233 , JENKINS-46259 , full changelog

Changes since 2.73

Enhancement

Update Windows service wrapper from 2.1.0 to 2.1.2 and Windows Agent Installer from 1.9 to 1.9.1. Windows service wrapper changelog, Windows agent installer changelog, pull 2987, JENKINS-46282
Log name of the executor thread that died to improve diagnosability. JENKINS-42376

Bug fix

Prevent caching of the item categories list by the browser to prevent stale data. JENKINS-43848
Improve robustness of the reverse build trigger ("Build after other projects are built"). JENKINS-45909
Include culprits in XML and JSON API again. (regression in 2.60) JENKINS-46082
Button to validate proxy configuration in Manage Plugins now works correctly with NTLM authorization. JENKINS-46288

Notable changes since 2.60.3

Major enhancement

Upgrade Groovy from 2.4.8 to 2.4.11. Groovy 2.4.9 changelog, Groovy 2.4.10 changelog, Groovy 2.4.11 changelog
Integration of Winstone 4: Upgrade bundled Jetty from 9.2.15.v20160210 to 9.4.5.v20170502. This removes support for the deprecated SPDY protocol. The --spdy parameter has been removed accordingly and Jenkins may refuse to start if it's set. full changelog
Update Remoting from 3.7 to 3.10 adding opt-in support for work directories and improving logging in Jenkins agents. work directory documentation, logging documentation, remoting changelog, JENKINS-39370
SSHD Module 2.0: Update from SSHD Core 0.14.0 to Apache MINA SSHD 1.6.0 in Jenkins core and Jenkins CLI. changelog, plugin compatibility notice, JENKINS-43668

Bug fix

Jetty 9.4.5: Prevent the 400 Bad Host header error for HttpChannelOverHttp when operating behind reverse proxy. JENKINS-40693 , corresponding Jetty issue
Update jnr-posix from 3.0.1 to 3.0.41 to pick up improvements and fixes in the POSIX platforms support. pull 2904

Enhancement

Winstone 4.1: Add Jetty HTTP/2 connector and corresponding options for Winstone-Jetty. JENKINS-45438 , enabling HTTP/2 support in Winstone-Jetty
Enable Remoting work directories by default for newly created agents launched via JNLP (Java Web Start Launcher). JENKINS-44112 , feature documentation
SSHD Module 2.0: Enable aes192ctr and aes256ctr ciphers if JVM supports unlimited-strength encryption. JENKINS-39738
Update WinP from 1.24 to 1.25 to improve performance and diagnostics of issues like JENKINS-30782. full changelog
Freestyle projects may now list Pipeline jobs as downstream and trigger them, without needing to use the Parameterized Trigger plugin or reverse triggers ("Build after other projects are built"). JENKINS-28113
Internal: Define enabling/disabling in ParameterizedJob rather than AbstractProject. JENKINS-27299
Fixed Pipeline compatibility for a number of CLI commands (delete-builds, list-changes, console, set-build-description, and set-build-display-name), as well as some issues affecting error reporting in other commands when used with Pipeline. JENKINS-30785 , JENKINS-41527
Enable simpler syntax for upstream build trigger in pipelines. JENKINS-34464
Minor optimization to queue maintenance routines and printing of console notes, mainly for the benefit of Pipeline node blocks. JENKINS-45553
If you have the Authorize Project plugin installed and configured, its configuration will now be treated as final with respect to the behavior of Job/Build checks from Build other projects and Build after other projects are built. Formerly, if a Per-project configurable Build Authorization was enabled globally but some projects did not specify an Authorization, the two aforementioned checks would automatically fall back to checking as anonymous (typically denying build permission). To restore the former behavior, explicitly configure a Project default Build Authorization to be Run as anonymous. Note that this will affect all build-scoped permission checks, including for example Agent/Build. JENKINS-22949
Internal API: Tasks.getAuthenticationOf now honors authentication contributed by QueueItemAuthenticatorProvider extensions. pull 2880
Moved agent port and protocol configuration out of "security" (authentication and authorization) block in Configure Global Security. JENKINS-4478
Don't reload user records from disk unless explicitly requested to improve performance of user record access. JENKINS-45737
Plugin Development: Jenkins now no longer publishes a war-for-test artifact. Plugins using 2.64 or a later version of Jenkins (including 2.73.1) as baseline need to use plugin parent POM 2.30 or later. JENKINS-24064

Bug fix

Contributions to the PATH environment variable could result in malformed values on agents on a platform different from controller's. JENKINS-14807
Robustness improvements related to agent connections. JENKINS-43496 , JENKINS-38527
JNLP for launching agents now requests Java 8. JENKINS-45679
Prevent NullPointerException in Jenkins#getRootURL() while the instance is not fully loaded yet. JENKINS-34914
Fix NullPointerException when calculating culprits. JENKINS-45516

Enhancement

The reload-configuration CLI command now waits until the reload is finished, and returns an error code if the reload failed. JENKINS-45256
Remove the "JNLP" protocol references from the TCP Agent Listener log messages. JENKINS-44103

Enhancement

Allow overriding the Jenkins session ID suffix so it doesn't change on every restart, possibly resulting in too many cookies. how to set session ID, JENKINS-25046 , JENKINS-44894

Bug fix

Add documentation for time zone specification for cron patterns (e.g. SCM polling). JENKINS-9283
Do not submit form when pressing Enter in the plugin manager's filter field. JENKINS-44523
Jenkins failed to perform some cleanup tasks, including saving the build queue, if stopped via REST /exit, CLI shutdown, or when restarting from Install as Windows Service. JENKINS-44589
Don't check whether disabled administrative monitors are active or not on the Manage Jenkins page. JENKINS-44608
When starting the jenkins.war directly, properly check for Java 8 as minimum instead of Java 7 before proceeding. JENKINS-44764
Prevent NullPointerException when calling restart CLI command. (regression in 2.57) JENKINS-44769
Prevent possible NullPointerException when listing remote directories using the FilePath#list() and FilePath#listDirectories() APIs. JENKINS-44942

Changes since 2.60

Bug fix

Fix for NullPointerException while initiating some SSH connections. (regression in 2.59) JENKINS-44120

Notable changes since 2.46.3

Major enhancement

Jenkins (controller and agents) now requires Java 8 to run. JENKINS-27624 , JENKINS-42709 , pull 2802, announcement blog post
Upgrade the Windows Agent Installer module from 1.6 to 1.7. This change picks major updates in Windows service management logic. full changelog, guide to upgrading old Windows service agents
Windows services: Upgrade the bundled Windows Service Wrapper from 1.18 to 2.0.2. full changelog

Bug fix

Update Groovy to 2.4.8 to address memory leak issue. Pipeline: Groovy needs to be upgraded to 2.28 or higher to prevent regressions. JENKINS-33358 , JENKINS-42189
Windows services: Integrate various stability and performance fixes in Windows Service Wrapper from 1.18 to 2.0.2. There are many fixes around configuration options and process termination. full changelog
Packaging: Do not invoke recursive chown in JENKINS_HOME during the RPM post-install step unless owned by a different user. JENKINS-23273

Enhancement

Windows services: Enable Runaway Process Killer by default in new agent and controller installations. JENKINS-39231
Windows services: Enable auto-upgrade of Remoting on newly installed agents if they are connected by HTTPS. JENKINS-39237
Windows services: Add support of shared directories mapping in Windows agent services. Shared Directory Mapper documentation
Use case-insensitive search by default for new and anonymous users. JENKINS-42645
Searching in the Build History widget takes into account user preferences (case sensitivity by default). pull 2683
Allow searching by build parameter values in the Build History widget. JENKINS-40718
Update the Trilead SSH library to get support of new Mac, Key, and Key Exchange Algorithms. JENKINS-33021 , JENKINS-26379 , JENKINS-31549 , JENKINS-42959 , JENKINS-43979 , JENKINS-44046
When creating temporary files, use the jenkins prefix instead of the old hudson one. pull 2778
Update German, French and Russian localizations. pull 2777, pull 2787, pull 2798
Removed localizations with very low coverage: Albanian, Basque, Belarusian, Bengali, Esperanto, Galician, Georgian, Gujarati, Hindi, Icelandic, Indonesian, Irish, Kannada, Macedonian, Marathi, Mongolian, Occitan, Punjabi, Sinhala, Tamil, Telugu, Thai. pull 2813
Internal API: Add the ability for ItemListener to veto copy operations; make Run#compareTo work across jobs; save Jenkins after calling setSecurityRealm or setAuthorizationStrategy. JENKINS-34691 , JENKINS-42319 , pull 2762, pull 2782, pull 2790, pull 2805

Bug fix

If an exception is thrown while rendering an HTTP response, just log the stack trace on the server side, without trying to send an error page to the client. JENKINS-21695
Setup wizard gets into bad state when failures like network issues happen. JENKINS-41778
Catch and log RuntimeException in Computer#setNode() when updating the Computer list. JENKINS-42043
Fix AccessDeniedException in "Build after other projects are built" when user has Discover permission but not Read. JENKINS-42707
Prevent NullPointerException when a non-existent default view is specified in Configure System. JENKINS-42717
Properly handle saving system configuration when disabling all, or all but one, administrative monitors. JENKINS-42852
Remove links in stack traces to the stacktrace.jenkins-ci.org service that has been shut down. JENKINS-42861
Ensure that Cloud.PROVISION is properly initialized during the configuration loading. JENKINS-43279
Prevent rare NullPointerException if an admin user is created in the setup wizard after first disabling CSRF protection. JENKINS-44010

Enhancement

Migrate legacy users only once per restart to improve performance of the user retrieval logic. JENKINS-43936

Security

Important security fixes. security advisory

Major enhancement

Non-Remoting-based CLI. JENKINS-41745 , pull 2795, announcement blog post

Enhancement

Disable SSH server by default. JENKINS-33595

Bug fix

Computer#addAction would throw an UnsupportedOperationException since Jenkins 2.30. Such a call site was released in SSH Build Agents Plugin 1.15 for SECURITY-161. JENKINS-42969 , security advisory including SECURITY-161
Search results page did not correctly encode query parameters. JENKINS-42390
When validating a cron expression, consider the specified time zone. JENKINS-43228
Do not display a warning when an SCM trigger has no schedules (either to disable SCM post-commit hooks, or to enable them without polling). JENKINS-42194
Fix performance issue in deduplication of lists of tool installers. JENKINS-42141

Changes since 2.46

Bug fix

Prevent file descriptor leaks when Windows Service installer fails to read data from the service startup log. JENKINS-42670
Update Remoting from 3.5 to 3.7 in order to prevent file descriptor leaks on agents in the case of multiple connection attempts. full changelog
Exceptions during Jenkins cleanup step should not block restart. JENKINS-42164
Cryptic error message when loading JnlpSlaveAgentProtocol4. JENKINS-41987
Developer: Snapshot builds of plugins that had dependencies on other snapshot builds were not having their version numbers compared correctly. JENKINS-41899
Do not attempt to find the next occurrence of an impossible date such as June 31st in validation of trigger schedules. JENKINS-41864
Remoting 3.5: Stability improvements. JENKINS-41513 , JENKINS-41852
Remove invalid translations in Slovene. JENKINS-41756
Use of the remote API to create items in views (/view/…/createItem) didn't actually add items to views since Jenkins 2.22. JENKINS-41128
Remoting 3.5: Remoting clients now accept lowercase (HTTP 2) headers sent by reverse proxies. JENKINS-40710
Windows service restart did not retain build queue. JENKINS-32820

Enhancement

Remoting 3.5: Add option to specify the Remoting protocol to use on the client. JENKINS-41730

Notable changes since 2.32.3

Enhancement

Update the SSHD module from 1.7 to 1.8. The change disables obsolete Ciphers: AES128CBC, TripleDESCBC, and BlowfishCBC.
Enable the JNLP4 agent protocol by default. JENKINS-40886 , upgrade notes
Allow defining agent ping interval and ping timeout in seconds. It can be done via the hudson.slaves.ChannelPinger.pingIntervalSeconds and hudson.slaves.ChannelPinger.pingTimeoutSeconds system properties. JENKINS-28245
Print stack traces in logical order, with the most important part on top. pull 1485
Reduce size of Jenkins WAR file by not storing identical copies of remoting.jar/slave.jar there. pull 2633
Do not print warnings about undefined parameters when hudson.model.ParametersAction.keepUndefinedParameters property is set to false. pull 2687
Increase the JENKINS_HOME disk space threshold from 1 GB to 10 GB left. The warning will be shown only if more than 90% of the disk is utilized. JENKINS-40749

Bug fix

Delete obsolete pinning UI. JENKINS-34065
Use project-specific validation URL for SCM Trigger, so H is handled correctly in preview. JENKINS-26977
Failure to serialize a single Action could cause an entire REST export response to fail. Upgraded to Stapler 1.250 with a fix. JENKINS-40088
Add Usage Statistics section to the global configuration to make it easier to find. JENKINS-32938
Allow groovy CLI command via SSH CLI. JENKINS-41765

Bug fix

Display an informative message, rather than a Groovy exception, when View#getItems fails. JENKINS-41825
Don't try to set Agent Port when it is enforced, breaking form submission. JENKINS-41511
Don't add all group names as HTTP headers on "access denied" pages, possibly breaking reverse proxies due to very large headers. JENKINS-39402
Fix handling of the POST flag in ManagementLinks within the Manage Jenkins page. JENKINS-38175
IllegalStateException from Winstone when making certain requests with access logging enabled. JENKINS-37625
Do not fail to write a log file just because something deleted the parent directory. JENKINS-16634

Security

Important security fixes. security advisory

Major enhancement

Support displaying of warnings from the update site in the plugin manager and in administrative monitors. JENKINS-40494 , announcement blog post

Bug fix

Correctly state that Jenkins will refuse to load plugins whose dependencies are not satisfied in plugin manager. JENKINS-40666
The install-plugin CLI command now correctly installs plugins when multiple file arguments are specified. JENKINS-32358
Prevent the ClassNotFoundException: javax.servlet.ServletException error when invoking shell tasks on remote agents. JENKINS-40863
Properties were not passed to Maven command by Maven build step when the Inject Build Variables flag was not set. JENKINS-39268
Job configuration submission now does not fail when there is no parameters property. JENKINS-39700
Update Remoting to 3.4 in order to properly terminate the channel in the case Errors and Exceptions. JENKINS-39835
Check for Updates button in the Plugin Manager was hidden in the Updates tab when there was no plugins updates available. JENKINS-39971
SSHD Module: Handshake was failing (wrong shared secret) 1 out of 256 times due to SSHD-330. JENKINS-40362
Performance: Use bulk change when submitting Job configurations to minimize the number of sequential config.xml write operations. JENKINS-40435
Jobs were hanging during process termination on the Solaris 11 Intel platform, regression in 2.20. JENKINS-40470
Restore option value for setting build result to unstable when loading shell and batch build steps from disk. JENKINS-40894

Enhancement

Update to Winstone 3.2 to support ad-hoc certificate generation on Java 8 (using unsupported APIs). This option is deprecated and will be removed in a future release. We strongly recommend you create self-signed certificates yourself and use --httpsKeyStore and related options instead. JENKINS-25333

Changes since 2.32

Major bug fix

Prevent early deallocation of process references by Garbage Collector when starting a remote process. It was sometimes causing build failures with messages like FATAL: Invalid object ID 184 iuota=187 and java.lang.Exception: Object was recently deallocated. JENKINS-23271

Bug fix

Redirect to login page in the case of authorisation error when checking connectivity to the Update Center. JENKINS-39741
WinP 1.24: Native class now tries loading DLLs from the temporary location. JENKINS-20913
WinP 1.24: WinP sometimes kills wrong processes when using killRecursive(). It was likely impacting process termination on Windows agents and sometimes leading to BSoD. JENKINS-24453

Notable changes since 2.19.4

Major enhancement

Upgrade Remoting to version 3.1 with JNLP4-connect protocol. Compatibility notes are available here. Notably, it is no longer possible to use JDK 6 for the Maven project type, as communication with the Maven process uses Remoting, and it now requires Java 7. JENKINS-37564 , JENKINS-36871 , JENKINS-37565
Show notification with popup on most pages when administrative monitors are active. JENKINS-38391

Enhancement

Allow disabling/enabling administrative monitors on Configure Jenkins form. JENKINS-38301
Ask for confirmation before canceling/aborting runs. JENKINS-30565
Prompt user whether to add the job to the current view. JENKINS-19142
Allow CommandInterpreter build steps to set a build result as Unstable via the return code. Shell and Batch build steps now support this feature. JENKINS-23786
Internal: Upgrade Stapler library from 1.243 to 1.246 with fixes required for the Blue Ocean project. Changes are listed here. pull 2593

What's new in 2.19.4 (2016-11-23)

Reduce logging level when the localization resource is missing ResourceBundleUtil#getBundle(). (issue 39604)
Custom remoting enable/disable settings were not properly persisted on the disk and then reloaded. If the option has been configured in Jenkins starting from 2.16, a reconfiguration may be required. (issue 39465)
Prevent NullPointerException when rendering CauseOfInterruption.UserInterruption in build summary pages for non-existent users. (issue 38721 and issue 37282, regression in 2.14)
Display transient actions for labels. (issue 38651)
Performance: Fix the performance of file compress/uncompress operations over the remoting channel. (issue 38640, issue 38814)
Add user to restart log message for restart after plugin installation. (issue 38615)
Remoting 2.62.2: Improve connection stability by turning on Socket Keep-alive by default. Keep-alive can be disabled via the -noKeepAlive option on agent process. (issue 38539)
Remoting 2.62.2: Prevent NullPointerException in Engine#connect() when host or port parameters are null or empty. (issue 37539)
Jenkins startup does not fail if one of ComputerListeners throws exception in the onOnline() handler. (issue 38487)
Fix handling of the jenkins.model.Jenkins.slaveAgentPort system property, which was not honored. (issue 38187, regression in 2.0)
Properly enable submit button on New Item page when choosing item type first. (issue 36539)
Add missing internationalization support to ResourceBundleUtil. It fixes internationalization in Blue Ocean and Jenkins Design Language. (issue 35845)
Properly handle quotes and other special symbols in item names during form validation. (issue 31871)
Prevent deadlocks during modification of node executor numbers (e.g. during deletion of nodes). (issue 31768)
Restore automatic line wrapping in Build Step text boxes with syntax highlighting. (issue 27367)
Print warnings if none of Tool Installers can be used during the tool installation. (issue 26940)
Node build history page was hammering the performance of the Jenkins instance by spawning parallel heavy requests. Now the information is being loaded sequentially. (issue 23244)
Fix JS/browser memory leak on Jenkins dashboard. (issue 10912)

What's new in 2.19.3 (2016-11-16)

Important security fixes (security advisory)
Allow disabling the Jenkins CLI over HTTP and JNLP agent port by setting the System property jenkins.CLI.disabled to true.

What's new in 2.19.2 (2016-11-01)

Prevent instatination of jenkins.model.Jenkins on agents in the ProcessKillingVeto extension point. (issue 38534)
Decrease connection timeout when changing the JNLP agent port via Groovy system scripts. (issue 38473)
Fix NullPointerException when descriptor is not in DescriptorList. (issue 37997)
Print warnings to system logs and administrative monitors when Jenkins initialization does not reach the final milestone. (issue 37874, diagnostics for issue-37759)
Allow the use of custom JSON signature validator for Update Site metadata signature checks. (issue 36537)
Failed to load jenkins.util.SystemProperties on agents. (issue 35184)
CLI: Connection over HTTP was not working correctly. (issue 34287, regression in 2.0)
Use the correct 'gear' icon for Manage Jenkins in Plugin Manager. (issue 34250)
Build history was not properly updating via AJAX. (issue 31487)
CLI: Disable the channel message chunking by default. Prevents connection issues like java.io.StreamCorruptedException: invalid stream header: 0A0A0A0A. (issue 23232)
Exclude /cli URL from CSRF protection crumb requirement, making the CLI work with CSRF protection enabled and JNLP port disabled. (issue 18114)

What's new in 2.19.1 (2016-10-03)

Changes from 2.19:

Fixed the missing icon in the System Script console. (issue 37814)
Fixed background color in the ComboBoxList element in order to make options visible. (issue 37549)
Fixed editing default view description with automatic refresh. System message is not being displayed instead of the view description. (issue 37360)
Do not process null CRON specifications in build triggers. (issue 36748, enhances fix in 2.15)
Setup wizard now checks if the restart is supported on the system before displaying the restart button. (issue 33374)
Test Windows junctions before Java 7 symlink in symbolic link checks. (issue 29956)

Notable changes since 2.7.4:

Fix plugin dependency resolution. Jenkins will now refuse to load plugins with unsatisfied dependencies, which resulted in difficult to diagnose problems. This may result in errors on startup if your instance has an invalid plugin configuration., check the Jenkins log for details. (issue 21486)
Don't load all builds to display the paginated build history widget. (issue 31791)
Tell browsers not to cache or try to autocomplete forms in Jenkins to prevent problems due to invalid data in form submissions. From now on, only select form fields (e.g. job name) will offer autocompletion. (issue 18435)
Add diagnostic HTTP response to TCP agent listener. (issue 37223)
Allow admins to control the enabled agent protocols on their instance from the global security settings screen. (issue 37032)
Prevent NullPointerException on startup after update from Jenkins 2.5. (issue 35206)
Always send usage statistics over HTTPs to the new usage.jenkins.io hostname. (issue 35641)
Do not inject build variables into Maven process by default for new projects. (issue 25416, issue 28790)
IllegalStateException under certain conditions when reloading configuration from disk while jobs are in the queue. (issue 27530)
Underprivileged users were unable to use the default value of a password parameter. (issue 36476)

What's new in 2.7.4 (2016-09-08)

Prevent File descriptor leaks when reading plugin manifests. It causes failures during the upgrade of detached plugins on Windows. (issue 37332)

What's new in 2.7.3 (2016/08/31)

Stop A/B testing of the remoting JNLP3 protocol due to the known issues. The protocol can be enabled manually via the jenkins.slaves.JnlpSlaveAgentProtocol3.enabled system property. (issue 37315)
When checking Update Center, append ?uctest parameter to HTTP and HTTPS URLs only. (issue 37189)
Ensure that detached plugins are always at least their minimum version. (issue 37041)
Remove trailing space from Hudson.DisplayName in Spanish, which resulted in problems with Blue Ocean. (issue 36940)
Make sure that the All view is created. (issue 36908)
Incorrect formatting of messages in the Update Center and Setup Wizard. (issue 36757)
Underprivileged users were unable to use the default value of a password parameter. (issue 36476)
Properly handle exceptions during global configuration form submissions when SCM Retry Count field is empty. (issue 36387)
Do not allow disabled project to be triggered remotely. (issue 36193)
Ensure that SCMDescriptor.newInstance overrides are honored when creating new SCM entries. (issue 36043, issue 35906)
Add a cache for user information to fix performance regression due to SECURITY-243. (issue 35493)
Performance: Disable AutoBrowserHolder by default to improve the changelog rendering performance. (issue 35098)
Honor non-default update sites in setup wizard. (issue 34882)

What's new in 2.7.2 (2016/08/03)

Always send usage statistics over HTTPs to the new usage.jenkins.io hostname. (issue 35641)
Fix issues in file management in hudson.remoting.Launcher (main executable class). (issue 35494)
Remoting 2.60: Fix potential file handle leaks during the build agent startup. issue 35190)
Remoting 2.60: Proper handling of the no_proxy environment variable. (issue 32326)
Performance: Improve configuration page load times by removing the CodeMirror reloading cycle. (issue 32027)
Remoting 2.60: hudson.Remoting.Engine#waitForServerToBack now uses credentials for connection. (issue 31256)
IllegalStateException under certain conditions when reloading configuration from disk while jobs are in the queue. (issue 27530)
Allow keeping builds forever with custom build retention strategies. (issue 26438)
Remoting 2.60: Make the channel reader tolerant against Socket timeouts. (issue 22722)

What's new in 2.7.1 (2016/07/06)

Changes from 2.7:

Installation Wizard: Do not offer creating new admin user if the security is preconfigured. (Issue 34881)
API: Make it easier for UpdateSites to tweak the InstallationJob. (Issue 35402)
Fix the repeatable item delete button layout in Safari. Addresses Build Steps and other such configuration items. (Issue 35178)
Prevent NullPointerException on startup after update from Jenkins 2.5. (Issue 35206)
Explicitly declare compatibility of Windows build agent service with .NET Framework 4. (PR #2386)
Honor noProxy settings from "Manage Jenkins > Manage Plugins > Advanced". (Issue 31915)
API: Restrict external usages of jenkins.util.ResourceBundleUtil. (Issue 35381)
Internal: Upgrade Groovy to 2.4.7 to finalize the fix in Jenkins 2.7. (Issue 34751)

Notable changes since 1.651.3:

New password-protected setup wizard shown on first run to guide users through installation of popular plugins and setting up an admin user. (issue 30749, issue 9598)
Plugin bundling overhaul: Bundled plugins are only installed if necessary when upgrading, all plugins can be uninstalled. (issue 20617)
Redesigned job configuration form makes it easier to understand the option hierarchy, and to navigate the form. (issue 32357)
Richer 'Create Item' form with job icons and job categories (once a threshold of three categories has been reached). (issue 31162)
Support encrypted communication between master and inbound Jenkins agents. (issue 26580)
Enable disabled dependencies during plugin installations. (issue 34494)
Force ordering between GPG and jarsigner to ensure correct GPG signature. (pull 2285)
Secured Jenkins installations didn't properly save the queue on shutdown. (issue 34281)
Upgrade wizard encourages installation of Pipeline related plugins when upgrading from 1.x. (issue 33662)
Jenkins now requires Servlet 3.1. Upgraded embedded Winstone-Jetty to Jetty 9 accordingly. This removes AJP support when using the embedded Winstone-Jetty container. (issue 23378)
Bundled Groovy updated from 1.8.9 to 2.4.7. (issue 21249)
Moved tools configuration from Configure Jenkins to separate dialog.
Added option to prohibit anonymous access to security realm "Logged in users can do anything", enable by default. (issue 30749)
Renamed 'slave' to 'agent' on the UI. (issue 27268)
Improvements to inline documentation of numerous form fields in Jenkins global and job configuration. (issue 33364)
Change default CSRF protection crumb name to Jenkins-Crumb for nginx compatibility. (issue 12875)
Add symbol annotations on core. (pull 2293)
Workaround for unpredictable Windows file locking. (issue 15331)
Remove the historical initialization of CVS changelog parser for jobs without explicit SCM definition. Warning! This change may potentially cause a regression if a Jenkins plugin depends on this default behavior and injects changelogs without SCM. (issue 4610)
Add the JOB_BASE_NAME environment variable to builds (job name without path). (issue 25164)
Allow overriding Jenkins UpdateCenter by a custom implementation. (issue 34733)
Allow overriding Jenkins PluginManager by a custom implementation. (issue 34681)
Allow setting of properties from context.xml and web.xml in addition to setting system properties from the command line. (issue 34755)
Remoting: Allow Jenkins admins to adjust the socket timeout. (Controlled by hudson.remoting.Engine.socketTimeout) (issue 34808)
Remoting: Allow disabling the remoting protocols individually. Allows working around compatibility issues like JENKINS-34121. (Controlled by PROTOCOL_CLASS_NAME.disabled) (issue 34819)
Remoting, scalability: Ensure that the unexporter cleans up whatever it can each GC sweep. (issue 34213)
Remoting: Force class load on UserRequest to prevent deadlocks on Windows nodes agents in the case of multiple classloaders. (Controlled by hudson.remoting.RemoteClassLoader.force) (issue 19445)
Make ToolInstallers to follow HTTP 30x redirects. (issue 23507)
Disable JSESSIONID in URLs when running in the JBoss web container. It prevents Error 404 due to invalid links starting from Jenkins 1.556. More info: WFLY-4782 (issue 34675)
Allow starting non-AbstractProject (e.g. Pipeline) jobs from CLI. (issue 28071)
Plugin Manager was building incorrect list of bundled plugins for nested dependencies. (issue 34748)
Developer API: Add WorkspaceList.tempDir(…). (issue 27152)
Developer API: Allow putting @Initializer annotations on instance methods. (pull 2176)
Developer API: Allow specifying custom AbortExceptions. (pull 2288)

What's new in 1.651.3 (2016/06/08)

Cannot enable disabled dependencies. (issue 32340)
Listed Parameters should reflect what was used when the build ran. (issue 34858)
Installation Wizard: SEVERE errors in logs, enabling of the enabled plugin. (issue 34710)
Check Updates PeriodicWork dies horribly in the case of invalid signature. (issue 34745)
RSS ID duplication for items with same name in different folders. (issue 34767)
Remoting, scalability: Ensure that the unexporter cleans up whatever it can each GC sweep. (issue 34213)
Remoting: Force class load on UserRequest to prevent deadlocks on Windows nodes agents in the case of multiple classloaders. (Controlled by hudson.remoting.RemoteClassLoader.force) (issue 19445)
Remoting: Allow Jenkins admins to adjust the socket timeout. (Controlled by hudson.remoting.Engine.socketTimeout) (issue 34808)
Remoting: Allow disabling the remoting protocols individually. Allows working around compatibility issues like JENKINS-34121. (Controlled by PROTOCOL_CLASS_NAME.disabled) (issue 34819)

What's new in 1.651.2 (2016/05/11)

Important security fixes (security advisory)
Update remoting to 2.57. (issue 33999, issue 32980, issue 28289)
Pipeline runs not reliably started after restart when using Build after other projects are built. (issue 33971)
Prevent badges in build history sidepanel widget from overlapping page contents. (issue 33826)
Do not hardcode .bat extension for Maven on Windows. (issue 33693)
Don't store redundant build causes, make list of build causes immutable. (issue 33467)
Make context menu link Delete Project work with CSRF protection enabled. (issue 18032)

What's new in 1.651.1 (2016/04/14)

Changes from 1.651:

Honor the option to opt out of usage statistics submission. (advisory)
Plugin filters were failing to be removed and blocking restart. (issue 33681)
Do not fail update center check if there are no tool installers defined. (issue 32831)
Fix argument masking for sensitive build variables on Windows. (issue 28790)
Under some conditions Jenkins startup could fail because of incorrectly linked extensions; now recovering more gracefully. (issue 25440)
Multiple bug fixes related to shutdown sequence. (issue 33377, issue 33384)

Notable changes since 1.642.3:

Move periodic task log files from JENKINS_HOME/*.log to JENKINS_HOME/logs/tasks/*.log and rotate them periodically rather than overwrite every execution. (issue 33068)
Allow changing the directory used for the extraction of plugin archives via the --pluginroot CLI option (also controllable via the hudson.PluginManager.workDir system property / context parameter. Also document the --webroot CLI parameter in java -jar jenkins.war --help (issue 32765)
Unify CLI exit code semantics. (issue 32273)
Add time zone to generation date in footer in most locales. (issue 32194)
The Windows service wrapper now specifies the --webroot argument to extract the war file into %BASE%. (pull 1951)
Allow retrying core update when the first attempt failed. (issue 11016)
Allow specifying the default TCP agent listener port via system property. (commit 653fbdb)
Fix documentation of proxy configuration. (pull 2060)
Retrieve tool installer metadata from all update sites. (issue 32328)
Fields on the parameters page are no longer aligned at the bottom. (issue 31753)
Cleanup of CLI error handling and return codes. (issue 32273)
Boot failure hook script did not work, WebAppMain.contextDestroyed produces weird errors. (issue 24696)
ArrayIndexOutOfBoundsException when parsing range set. (issue 32852)
Generate new instance identity file when the existing one is found to be corrupt. (issue 29240)
Developer: The official parent POM for plugins is now hosted in the plugin-pom repository, starting with version 2.0. (issue 32493)
API changes: Add a reusable implementation of IdleOfflineCause class. (commit 7e05b50)
Developer: Split test harness into separate artifact. (issue 32478)
Developer: Pass $it to contents of dropdownDescriptorSelector. (issue 19565)

What's new in 1.642.4 (2016/03/31)

Honor the option to opt out of usage statistics submission. (advisory)

What's new in 1.642.3 (2016/03/16)

Fields on the parameters page are no longer aligned at the bottom. (issue 31753)
Under some conditions a build record could be loaded twice, leading to erratic behavior. (issue 22767)

What's new in 1.642.2 (2016/02/24)

Important security fixes (security advisory)
Don't submit usage statistics while Jenkins hasn't finished loading. (issue 32190)
Performance regression when setting JDK installations. (issue 31932)
Renaming a node over another was possible and destroys both configurations. (issue 31321)
A CloudProvisioningListener can prevent provisioning of all clouds instead of just the targeted cloud. (issue 31219)
GroovyHookScript needs Jenkins to be initialized but should not (for e.g. boot failure script). (issue 24696)
Don't show “termination trace” as warning in the log as it's not necessarily an error condition. (issue 32567)

What's new in 1.642.1 (2016/01/20)

No changes compared to 1.642. Notable changes since 1.625.3:

Build history pagination and search. (issue 26445)
“Form too large” errors from Jetty when submitting massive forms. (issue 20327)
Allow retrying core update when the first attempt failed. (issue 11016)
Allow specifying the default TCP agent listener port via system property. (commit 653fbdb)
Display expected CRON run times even if a warning occurs. (issue 29059)
Add "lastCompletedBuild" job permalink. (issue 26270)
Allow case insensitive file patterns in Artifacts Archiving. (issue 5253)
Let a combobox display its drop-down when focused, so users can see candidates without entering a letter. (issue 26278)
Add safari pinned tab icon. (discussion)
Plugin Manager UI prevents users from enabling/disabling/uninstalling plugins at the "wrong" time. (issue 23150)
Do not show REST API link for pages which have no API handlers. (issue 29014)
JS alert still prevented leaving a configuration page without changes. (issue 21720)
API: New OptionalJobProperty class to simplify JobProperty creation. (PR 1888)
API: Add get method for causes of interruption in hudson.model.Executor (PR 1712)

What's new in 1.625.3 (2015/12/09)

Important security fixes (security advisory)
SECURITY-186 regression: non-item tasks hidden (issue 31649)
Inbound agents can fail to correctly negotiate a transport (issue 31718)
delete-node CLI command did not work correctly for cloud nodes (issue 31098)

What's new in 1.625.2 (2015/11/11)

Important security fixes (security advisory)
AbstractBuildExecution#reportError should work will any kind of Build Step (issue 30730)
Optimize TagCloud size calculation (issue 30705)
Tar implementation can't handle > 8GB and doesn't error out. (issue 10629)
FlyWeightTasks tied to a label will not cause node provisioning and will be blocked forever. (issue 30084)

What's new in 1.625.1 (2015/10/14)

Build history text field wrap fails when containing markup (issue 26406)
First-time display with many Maven jobs blocked in FingerprintAction.compact (issue 19392)
Animated ball in job's build history widget won't open Console Output (issue 26365)
Memory leak in ProgressiveRendering (issue 25081)
Hudson test case leaks temp folders (issue 4409)
Large number of build parameters for pending jobs (e.g.gerrit triggered job) can cause unwieldy build history (issue 22311)
"unknown format type" on console output (issue 24614)
Build health computed twice per job (issue 25074)
SSH agents can block for a long time in NativePRNG (issue 20108)
ClosedByInterruptException in JenkinsRule setup (issue 30395)
Job owned by SYSTEM instead of creator when 'Setup after creation' used (issue 25400)
AbstractProject: makeDisabled() performs operations even if supportsMakeDisabled() is false (issue 24340)
Infinite loop with crontab "H H(19-24) * * *" (issue 25897)
quietDown reports HTTP 405 Method Not Allowed (issue 23942)
"Given final block not properly padded" after deleting master.key after Java security update (issue 25937)
Run parameters should display in human readable form rather than build numbers (issue 25174)
FilePath.validateAntFileMask sucks up heap (issue 25759)
AbstractLazyLoadRunMap.entrySet improperly cached (issue 25655)
Wrong EOL (UNIX type: LF) in Windows batch files executed for build steps of type "Execute Windows batch command" (issue 7478)
JDK9 with jigsaw file layer is not detected as valid JDK (issue 25601)
Basic Authentication in combination with Session is broken (issue 25144)
Missing build history moving a job when BuildDir is set to a custom location (issue 24825)
Maven build step fail to launch mvn process when special chars are present in build variables (issue 26684)
Manage->Cancel Shutdown requests POST method and even POST fails due to invalid crumb if CSRF protection is enabled (issue 23020)
Unnecessarily slow & serialized I/O for top-level item loading in loadTasks (issue 25473)
No wrap up(not in multiple lines) of too long list of agents at label page (issue 25989)
Jenkins merges queued builds with the different file parameters (issue 19017)
RunIdMigrator fails to revert Matrix and Maven jobs (issue 29989)
WARNING: hudson.model.FreeStyleProject@9a4e77f[...] did not contain ... #584 to begin with (issue 25788)
ListView's ItemListener runs with user privileges, might miss affected views (issue 22769)

What's new in 1.609.3 (2015/09/02)

When NodeProvisioner processes planned nodes, it must always call spent() (issue 29568)
Sort by 'Free Disk Space' is incorrect (issue 29286)
Label expression help is missing in recent Jenkins versions (issue 29376)
The curious case of the Channel memory cycles (issue 28844)
Excessive classes being sent to agent machine (issue 28058)

What's new in 1.609.2 (2015/07/28)

NPE may happen if somebody tries to drop the e-mail JenkinsLocationConfiguration:setAdminAddress() (issue 28419)
Build History badges don't wrap (issue 28455)
Deadlock between Queue.maintain and Executor.interrupt (issue 28840)
Jenkins queue self-locking without apparent reason? (issue 28926)
Deadlock in hudson.model.Executor (issue 28690)
UnlabeledLoad.computeQueueLength() includes labeled jobs (issue 28446)
Job loading can be broken by a NPE in a build trigger (issue 27549)
post-build action statuses handling (issue 26964)

What's new in 1.609.1 (2015/05/29)

Concurrent build limits not honored on Jenkins 1.607 (issue 27708)
Division by zero in Executor.getProgress (issue 28115)
Channel listener onClose propagated exceptions (issue 28062)
Failed to instantiate class hudson.plugins.copyartifact.CopyArtifact when saving a job (issue 28011)
Block on upstream projects does not work (issue 27871)
Unhelpful log warning about stapler-class (issue 27918)
404 on jenkins.plugins.nodejs.tools.NodeJSInstaller.json.html (issue 28093)
1.610 “Failed to instantiate” error (issue 28110)
NPE from LoadStatistics$LoadStatisticsSnapshot$Builder.with (issue 28384)
Dropdowns display limited and scrollable (issue 27067)

What's new in 1.596.3 (2015/05/20)

Build history text field wrap fails when containing markup (issue 26406)
Maven build step fail to launch mvn process when special chars are present in build variables (issue 26684)
Hudson test case leaks temp folders (issue 4409)

What's new in 1.596.2 (2015/03/23)

Important security fixes (security advisory)
JDK9 with jigsaw file layer is not detected as valid JDK (issue 25601)
First-time display with many Maven jobs blocked in FingerprintAction.compact (issue 19392)
Animated ball in job's build history widget won't open Console Output (issue 26365)
Large number of build parameters for pending jobs (e.g.gerrit triggered job) can cause unwieldy build history (issue 22311)
Infinite loop with crontab "H H(19-24) * * *" (issue 25897)
Run parameters should display in human readable form rather than build numbers (issue 25174)

What's new in 1.596.1 (2015/02/28)

Important security fixes (security advisory)
Job failure on remote node running JDK1.8 - java.lang.NoSuchMethodException: java.lang.UNIXProcess.destroyProcess(int) (issue 21341)
Download update center from master by default (issue 19081)
ArrayIndexOutOfBoundsException during Jenkins.doConfigSubmit; need XStream 1.4.6 (issue 18537)
"Given final block not properly padded" after deleting master.key after Java security update (issue 25937)

What's new in 1.580.3 (2015/01/27)

Basic Authentication in combination with Session is broken (issue 25144)
No wrap up(not in multiple lines) of too long list of agents at label page (issue 25989)
FilePath.validateAntFileMask sucks up heap (issue 25759)
Unnecessarily slow & serialized I/O for top-level item loading in loadTasks (issue 25473)
AbstractLazyLoadRunMap.entrySet improperly cached (issue 25655)
Build health computed twice per job (issue 25074)
WARNING: hudson.model.FreeStyleProject@9a4e77f[...] did not contain ... #584 to begin with (issue 25788)
"Given final block not properly padded" after deleting master.key after Java security update (issue 25937)

What's new in 1.580.2 (2014/12/15)

Job owned by SYSTEM instead of creator when 'Setup after creation' used (issue 25400)
Missing build history moving a job when BuildDir is set to a custom location (issue 24825)
Manage->Cancel Shutdown requests POST method and even POST fails due to invalid crumb if CSRF protection is enabled (issue 23020)
Memory leak in ProgressiveRendering (issue 25081)
AbstractProject: makeDisabled() performs operations even if supportsMakeDisabled() is false (issue 24340)
Jenkins merges queued builds with the different file parameters (issue 19017)
quietDown reports HTTP 405 Method Not Allowed (issue 23942)
SSH agents can block for a long time in NativePRNG (issue 20108)
ListView's ItemListener runs with user privileges, might miss affected views (issue 22769)

What's new in 1.580.1 (2014/10/29)

Important security fixes (security advisory)
Jetty should be used rather than Winstone for embedded deployments (issue 18366)
Updating a WAR should unpin a plugin which is now older than the bundled plugin (issue 24046)
"unknown format type" on console output (issue 24614)
Wrong EOL (UNIX type: LF) in Windows batch files executed for build steps of type "Execute Windows batch command" (issue 7478)

What's new in 1.565.3 (2014/10/01)

Important security fixes (security advisory)
CLI calls are causing file descriptor leaks. (issue 23248)
Test result trend breaks lazy-loading (issue 23945)
Unable to kill a job which is running (issue 17667)
Job is removed from ListView after rename (issue 23893)
set-build-result and set-build-parameter do insufficient checks (issue 24080)
"incompatible InnerClasses attribute" error in IBM J9 VM (issue 22525)
Deadlock in OldDataMonitor (issue 24358)

What's new in 1.565.2 (2014/09/03)

Jenkins needs to check whether the war's directory is writeable before offering to upgrade (issue 23683)
AbstractLazyLoadRunMap.iterator() calls .all() (issue 18065)
Jenkins no longer kills running processes after job fails (issue 22641)
HTTP error 405 when trying to restart ssh host (issue 23094)
Run.delete (from LogRotator) failing with "...looks to have already been deleted" (issue 22395)
file name encoding broken in zip archives (issue 20663)
Kill win32 processes from win64 JVMs (issue 23410)

What's new in 1.565.1 (2014/07/30)

Queue.maintain does disk I/O via PeepholePermalink.resolve (issue 22822)
“Form too large” errors submitting view configurations with many jobs (issue 20327)
NPE on plugin install (issue 20031)
Link to the console output missing in popup when log >200Kb (issue 14264)
Parameters: NPE in canTake() procedures may kill all executors (issue 15094)
NPE from AbstractBuild$AbstractBuildExecution.run (issue 23277)
broken ProjectNamingStrategy Extension (issue 23127)
Move DecoratedLauncher from the custom-tools plugin to the Jenkins Core (issue 19454)
hudson.Launcher:ProcStarter::envs() may throw NPE (issue 20559)
Resource leak in hudson.model.FileParameterValue (issue 22693)
ReverseBuildTrigger.threshold not consistently saved (issue 23191)
AccessRestriction on SecurityListener methods (issue 23417)
After deleting folder, get 404 (issue 23375)
email-ext plugin doesn't handle tokens when an agent has gone offline: IAE from AbstractProject.getEnvironment (issue 23517)
Jenkins cannot restart Windows service (issue 22685)
Rules for showing/hiding SCMTrigger.pollingThreadCount option are broken (issue 22934)

What's new in 1.554.3 (2014/06/30)

Queue.maintain does disk I/O via PeepholePermalink.resolve (issue 22822)
Non-recursive ListViews unnecessarily call owner.getAllItems in getItems (issue 22720)
SSH agent connections die after the agent outputs 4MB of stderr, usually during findbugs analysis (issue 22938)
Jenkins cannot restart Windows service (issue 22685)

What's new in 1.554.2 (2014/05/30)

Don't ask for confirmation when it doesn't make any sense (issue 21720)
On a configure screen that has multiple groups of radio buttons, clicking the apply button clears all but the last radio group selection (issue 22570)
Optimize creation of relative links to jobs (issue 18364)
Jenkins asks for confirmation before leaving edited 'View Configuration' page (issue 20597)
OutOfOrderBuildMonitor fails to correct builds with duplicate number (issue 22631)
Computer does not exist returns NPE (issue 21999)
Last build of project reloaded when project asked for later build (issue 22681)
After clicking 'Apply' at least once, 'Save' opens a new window (issue 20245)
hetero-radio should work with multiple instances of the same ui (issue 22583)
Cannot submit configuration after removing groovy step (issue 22582)
No autocompletion and NullPointerException when using 'Copy Existing Job' (issue 22142)

What's new in 1.554.1 (2014/04/30)

NPE if trying to install a plugin from the update center and either the update source or the plugin contains a '.' in its name (issue 22080)
Download update center from master by default (issue 19081)
OutOfMemory due to unbounded storage in OldDataMonitor (issue 19544)
Very slow resource loading from UberClassLoader (issue 21579)
Jetty exploding war to /tmp is a bad idea (issue 22442)
Performance issue with search box (issue 21969)
ArrayIndexOutOfBoundsException during Jenkins.doConfigSubmit; need XStream 1.4.6 (issue 18537)
NullPointerException when trying to mark agent temporarily offline (issue 21875)
Build queue is not filtered after progress updated (issue 20500)
copy-job permission checks wrong (issue 22262)

What's new in 1.532.3 (2014/04/11)

Replace description in error dialog instead of appending (issue 21457)
NPE from xstream.core.JVM.isOpenJDK (issue 21183)
WorkspaceCleanupThread does not handle folders (issue 21023)
Copy Artifact's fingerprinting creates second hudson.tasks.Fingerprinter_-FingerprintAction section with just the artifacts copied (issue 17606)
/login offers link to /opensearch.xml which anonymous users cannot retrieve (issue 21254)
Miscellaneous exceptions in config.xml can prevent entire job from loading (issue 21024)
Jobs named "." can be created, but not built, configured, accessed, ... (issue 21639)
DirectoryBrowserSupport.buildChildPaths does quadratic number of calls to check whether entries are directories (issue 21780)
ZIP file download generates corrupt zip file (issue 20345)
Update credentials plugin to 1.9.4 (issue 21820)
Apply button does not work in IE Compat View (issue 19826)
Deadlock while parallel deletion/rename of jobs (issue 19446)

What's new in 1.532.2 (2014/02/14)

Important security fixes (security advisory)
CannotResolveClassException breaks loading of entire containing folder, not just one job (issue 20951)
Using jenkins-cli connecting to HTTPS port fails due to hostname mismatch in certificate (issue 12629)
HTTP two-way remoting does not work (jenkins-cli.jar without JNLP) (issue 20128)
Agent launcher fails after NoClassDefFoundError: Could not initialize class jenkins.model.Jenkins$MasterComputer (issue 19453)
StreamCorruptedException (issue 8856)
Fail to run 'groovysh' in CLI due to insufficient permission (issue 17929)
Loading projects too slow because of File.isDirectory calls (issue 21078)
HTML metacharacters not escaped in log messages (issue 20800)
Channel's executorService's pool should have a name (issue 19004)
ListView.expand throws ClassCastException: … cannot be cast to hudson.model.TopLevelItem (issue 20415)
RingBufferLogHandler throws ArrayIndexOutOfBoundsException after int-overflow (issue 9120)
l:breakable mishandles HTML metacharacters (issue 20928)
Start inbound agent ignores jar-cache flag (issue 20093)
Too many open files upon HTTP listener init or shutdown (issue 14336)
Extension point for secure users of Api (issue 16936)
'Apply' error screens don't work (issue 20772)
Workspaces seem to be removed prematurely on concurrent jobs (issue 10615)
Disable\Delete "Remember me on this computer" check box in login screen (issue 15757)
Builds disappear some time after renaming job (issue 18678)
Use RunAction2 from TestResultAction (issue 18410)
java.lang.NoClassDefFoundError: sun/net/www/protocol/jar/JarURLConnection (issue 20163)
you cannot use the cli without giving Overall read to Anonymous (issue 8815)

What's new in 1.532.1 (2013/11/25)

Collecting findbugs analysis results occasionally causes ssh agents to go offline causing job to abort (issue 19619)
Bytecode compatibility transformer mistakenly corrupts org.apache.ivy.core.settings.IvySettings.triggers (issue 19383)
Functions.globalIota overflow (issue 20085)
Upgrade bundled versions of Credentials, SSH Credentials and SSH Build Agents plugins (issue 19945)
/me/my-views/editDescription may be used by any user to set global description (issue 18633)
Missing base directory in ZIP from .../artifact/dir/subdir/*zip*/subdir.zip (issue 19947)
After deleting last build, next build of last build is zombie (issue 19920)
Upgrade error to 1.531: PROXY_HEADER is null (issue 19613)
Upgrade bundled versions of Credentials and SSH Build Agents so we can assume <c:select/> available (issue 20071)
Collecting finbugs analysis results randomly fails with exception (issue 18879)
ViewJobFilter.filter expect "All jobs that are possible." but don't get recursive ones (issue 20143)
Download build artifacts as zip generates a corrupted file (issue 19752)
Jenkins redirecting from https to http (issue 10675)
java.io.IOException: Unexpected termination of the channel (issue 18836)
When installing a plugin and the needed dependencies have compatibility issues, warn the user (issue 19739)
Installing a plugin with optional dependencies doesn't upgrade the optional dependencies when needed (issue 19736)
After upgrade from 1.519 to 1.526 -> NumberFormatException occurs during maven 3 build (issue 19251)

What's new in 1.509.4 (2013/10/09)

Configurable loggers should capture messages on agents (issue 18274)
@RequirePOST and similar should send a 405 (issue 16918)
Using jenkins-cli connecting to HTTPS port fails due to hostname mismatch in certificate (issue 12629)
[XStream] ConcurrentModificationException from DefaultConverterLookup (issue 18775)
@QueryParameter with @RelativePath broken (issue 18776)
fingerprint are truncated (issue 19515)
Environment variable replacement/resolving (issue 16660)
failed to archive agent artifacts. Unexpected end of ZLIB input stream (issue 19473)
winstone.ClientSocketException: Failed to write to client (issue 10524)
/log/all polluted with FINE* messages from other loggers (issue 18959)
Incorrect redirect after editing view with Unicode name (issue 18373)
Flyweight jobs and zero executors (issue 7291)
ERR_CONTENT_DECODING_FAILED on Custom Views with Project-based Matrix Authorization (issue 15437)
Buttons do not work in IE 11 (issue 19171)
CLI login command fails on Windows (issue 19192)
Problems with "Latest Test Result" and "Aggregated Test Result" links (issue 9637)
Exception while trigger downstream projects (issue 17247)
Maven 2 jobs fail (exception in MavenFingerprinter) (issue 18441)
Outdated JRuby libs (issue 14351)
Deadlock (issue 18589)
When copying folder, display names of contained jobs are gratuitously cleared (issue 18074)
Incorrect redirection after delete of job in folder in view (issue 17575)
Javadoc project action yields HTTP 404 (issue 19168)
Memory exhaustion parsing large test stdio from Surefire (issue 15382)
With lazy-build loading estimated build duration may become expensive (issue 18196)
Can't build using maven 3.1.0 (issue 15935)
Cannot create a custom logger matching any namespace (issue 17983)
Clean up fingerprint records that correspond to the deleted build recods (issue 18417)
"projects tied to node" shows unrelated maven module jobs (issue 17451)
hudson.security.AccessDeniedException2: anonymous is missing the Administer permission (issue 15578)
”My Views" links leads to 404 Not Found (issue 17317)
Some jobs not loaded after jenkins restart: java.lang.NoSuchFieldError: triggers (issue 18677)
New lazy loading permalinks can break job.lastStableBuild != null => job.lastSuccessfulBuild != null (issue 18846)

What's new in 1.509.3 (2013/09/09)

Standalone install does not work with Apache + mod_proxy_ajp + SSL (issue 5753)
Reload configuration from disk no longer works after upgrade to Jenkins 1.512. (issue 17977)
Build Now link on MultiJob page doesn't work (issue 16974)
Add descriptions for custom tools (issue 18771)
Lazy loading causes massive delays after a period of inactivity when loading dashboard (issue 16023)
NPE running matrix job (issue 18024)
LastSuccessful and LastStable symlinks are invalid under Windows (issue 17681)
IllegalStateException from MavenProject.getParent can break MavenFingerprinter.recordParents (issue 17775)
NPE (isEmpty) from main.groovy (issue 15309)
DependencyClassLoader#getTransitiveDependencies returns disabled plugins (issue 18654)
parameter description don't use MarkupFormatter (issue 18427)
Incompatible signature change in 1.489: AbstractProject.doBuild (issue 18356)
Display Name is not shown (issue 17715)
Fingerprint throws exceptions on 1.518 (issue 18337)
FingerprintAction deserialization leads to NPE (issue 17125)
update view via REST API doesn't work (issue 17302)
MavenModuleSetBuild.getResult is expensive (issue 18895)
Builds disappear from jobs - hudson.util.IOException2: Invalid directory name - java.text.ParseException: Unparsable date: "39" (issue 15587)
Outdated JRuby libs (issue 14351)
Fingerprint performance (issue 16301)
10,000+ jobs tied to a label make Node index page unusably unresponsive (issue 18660)
"Delete Project" link fails with 403 Exception: No valid crumb was included in the request (issue 18032)
Manually uploaded plugins are incorrectly unpacked (issue 4543)
Decorated Launcher Does Not Maintain "isUnix" for RemoteLauncher (issue 18368)
Test harness packs copies of Maven into plugin archive (issue 18918)
All Maven 2 builds fail with java.lang.NoSuchMethodError DigestUtils.md5Hex (issue 18178)

What's new in 1.509.2 (2013/06/27)

Quoting Issue with JDK Installer with Windows agents (issue 5408)
/about no longer shows third-party licenses (issue 17724)
Failed to instantiate class hudson.plugins.copyartifact.CopyArtifact (issue 17402)
ArrayIndexOutOfBoundsException from AbstractLazyLoadRunMap.search (issue 15652)
Dashboard web pages don't render correctly in Chrome because of bad cache/session (issue 17684)
NPE from MatrixConfiguration.newBuild (issue 17728)

What's new in 1.509.1 (2013/05/01)

Important security fixes (security advisory)
FilePath.installIfNecessaryFrom routes download over remoting channel (issue 17330)
Add 'Are you sure' on Reload configuration from disk (issue 15340)
Hover-over "Build Now" broken for parameterized jobs: "This page expects a form submission" (issue 17110)
Jenkins is no more WinXP compliant : CreateSymbolicLinkW is not available (issue 17343)

What's new in 1.480.3 (2013/02/15)

Important security fixes (security advisory)
"Remember me on this computer" does not work, cookie is not accepted in new session (issue 16278)
Slow/hung web UI in 1.483+ (stuck in parseURI) (issue 16474)
Failure to delete old config files during rekeying on Windows (issue 16319)
NoClassDefFoundError on Base64 when launching a headless agent with -jnlpCredential option (issue 9679)
Loading asynchPeople calls (synch) People constructor (issue 16397)
Jenkins briefly displays build queue and then it disappears until the page is reloaded (issue 15335)
View.hasPeople too slow to use in sidepanel.jelly (issue 16244)
File parameter causing data lost after Jenkins restart (issue 13536)

What's new in 1.480.2 (2013/01/06)

The master key that was protecting all the sensitive data in $JENKINS_HOME was vulnerable. (security advisory)

What's new in 1.480.1 (2012/11/17)

Important security fixes (security advisory)
FilePath.validateAntFileMask too slow for /configure (issue 7214)
java.io.InvalidClassException (issue 14667)
Log recorders do not work reliably (issue 15226)
Invalid JSON is produced during remote api operations when a changeSet contains duplicate keys. (issue 13336)
Memory exhaustion parsing large test stdio from Surefire (issue 15382)

What's new in 1.466.2 (2012/09/13)

Important security fixes (security advisory)

What's new in 1.466.1 (2012/07/23)

A current active build in the build history is lost if the job configuration XML uploaded (issue 12318)
UnprotectedRootAction doesn't work for /github-webhook/ (issue 14113)
ERR_CONTENT_DECODING_FAILED returned on testResults and console output after Jenkins reload (issue 13625)
Cannot parse coverage results Premature end of file. (issue 11251)

What's new in 1.447.2 (2012/06/11)

Guice injector failure can cause failure of whole Jenkins (issue 13448)
Jenkins runs out of file descriptors (winstone problem) (issue 9882)
Parsing of POM happens before SNAPSHOT-Parents are updated (issue 8663)
Loading All Build History Fails (issue 13238)

What's new in 1.447.1 (2012/03/28)

File handle leak in serving static files (issue 13097)
LDAP config error (issue 8152)
jenkins running in Tomcat doesn't initialize slf4j properly (issue 12650)
java.lang.NoClassDefFoundError: org.slf4j.impl.StaticLoggerBinder (issue 12446)
Remote call on CLI channel from [ip] failed (issue 12302)
jenkins does not start in jboss container (issue 12334)

What's new in 1.424.6 (2012/03/06)

Important security fixes (security advisory)

What's new in 1.424.5 (2012/03/05)

What's new in 1.424.4 (2012/03/05)

What's new in 1.424.3 (2012/02/27)

upgrade Apache Maven Wagon to 2.0 (issue 11164)
ERROR at Matrix-based security (issue 9519)
NPE: Failed to record SCM polling (issue 11592)
JDK Auto install throws FATAL: org/apache/xml/utils/PrefixResolver (issue 11420)
NoSuchMethodError on slf4j (issue 11960)

What's new in 1.424.2 (2012/01/10)

Important security fixes (security advisory)
Viewing large console logs with timestamper plugin cause Jenkins to crash (issue 9349)
Maven3 parallel build fails with java.util.ConcurrentModificationException in Jenkins (issue 11256)
Jenkins PID changes after restart (issue 11742)

What's new in 1.424.1 (2011/11/30)

Important security fixes (security advisory)
JDKInstaller fails with OutOfMemory exception (issue 10689)
Tools download does not appear to respect proxy settings (issue 5271)
Builds fail in JUnit test archiving (since 1.416) if specifying JDK other than the container (issue 10030)
Update Json File Signature Error (issue 11110)
SSH public key based CLI authentication added in 1.419 is broken in 1.421+ (issue 10647)
JSONException (issue 7034)
Jenkins 1.427 doesn't work on AIX (issue 10810)
Maven assembly plugin fails (issue 8837)
SNAPSHOT dependency detection not working for plugins anymore (issue 10530)
Proxy settings arent used by JDK-downloader (issue 10634)

What's new in 1.409.3 (2011/11/08)

Important security fixes (security advisory)

What's new in 1.409.2 (2011/09/12)

Failure in test class constructor or @Before method is not reported (was: Maven plugin doesn't set build to unstable on SurefireExecutionException) (issue 6700)
truncation or corruption of zip workspace archive from agent (issue 9189)
testSaturation-fork remoting test hangs (issue 8703)
Race condition in creating fingerprints for artifacts (issue 10346)
Slave-Squatter + Heavy-Job plugin causes many executor threads to die (issue 8882)
Auto Install JDK asks for Oracle account, but the link goes 404 (issue 10556)

What's new in 1.409.1 (2011/06/06)

Deadlock when upstream and downstream jobs are blocked on each other (issue 8929)
sporadic : ClassCastException for Maven Pom parsing phase on node (issue 9017)
Jenkins 1.399: java.lang.UnsupportedClassVersionError: Bad version number in .class file using JmDNS 3.4.0 (issue 8914)
Raw HTML codes are displayed since 1.407 (issue 9426)
Access to api/json on second level view fails (issue 9367)
NULLPOINTER exception on build 1.395 when saving configuration (issue 8866)
"java.io.IOException: Bad file descriptor" when file copied from agent (issue 7871)
Block when Downstream breaks Block when Upstream (issue 8968)
Remember me box doesn't work with unix groups (issue 9094)