Each section covers the upgrade from the previous LTS release, the section on 2.462.1 covers the upgrade from 2.452.4.
Access to the Resource URL for authenticated users was previously removed in JENKINS-72636.
However, with the release of 2.462.3, this functionality has been restored.
To allow an authenticated user to access the Resource URL, add the system property jenkins.security.ResourceDomainRootAction.allowAuthenticatedUser=true on startup.
This can also be done live by executing the groovy script jenkins.security.ResourceDomainRootAction.ALLOW_AUTHENTICATED_USER = true.
No notable changes requiring upgrade notes.
The Apache Commons FileUpload library that Jenkins uses for file upload has been upgraded from 1.5 to 2.0 in preparation for the Spring Security 6.x upgrade.
Users of the SAML Single Sign On (SSO) (miniorange-saml-sp) plugin should upgrade to a compatible version in lockstep with upgrading Jenkins core.
Users of the OpenText Application Automation Tools (hp-application-automation-tools-plugin) plugin should wait for a compatible version before upgrading Jenkins core.
The "Disable project" link has been removed from the project (job) page. A project can be disabled from its "Configure" page.
Users that need frequent access to the "Disable project" button can restore it on the project page with the disable job button plugin.
The hudson.model.DirectoryBrowserSupport.allowAbsolutePath system property that allows the Windows path traversal vulnerability escape hatch has been removed.
Users that rely on it will need to adapt their usage to no longer require the Windows path traversal vulnerability.
No other workaround is planned.
Refer to SECURITY-2481 for details.