Back to blog

Security updates for Jenkins core

Daniel Beck
December 14, 2017

We just released security updates to Jenkins, versions 2.95 and 2.89.2, that fix two security vulnerabilities. For an overview of what was fixed, see the security advisory.

We usually announce core security updates well in advance on the jenkinsci-advisories mailing list, to give Jenkins administrators time to schedule a maintenance. Additionally, we try to align security updates with the regular LTS schedule. We have chosen not to do so in this case for two reasons:

  • The random failure to set up Jenkins is very noticeable, and given that we’ve seen automated exploits for unprotected Jenkins instances in the past we consider it important to fix that issue as soon as possible, so that users setting up new instances of Jenkins can be confident they won’t start up insecurely.

  • The CSRF issue appears to only affect instances for a very short (seconds at most, if at all) time period immediately after startup, so administrators could apply the fix during the next scheduled Jenkins downtime, rather than immediately.

About the author

Daniel Beck

Daniel is a Jenkins core maintainer and member of the Jenkins security team. He was the inaugural Jenkins security officer from 2015 to 2021. He sometimes contributes to developer documentation and project infrastructure in his spare time.