Back to blog

Important security updates for Jenkins

Daniel Beck
December 5, 2018

We just released security updates to Jenkins, versions 2.154 and LTS 2.150.1, that fix multiple security vulnerabilities. Since 2.150.1 is the first release in the new LTS line, we also released 2.138.4, a security update for the previous LTS line. This allows administrators to install today’s security fixes without having to upgrade to the new LTS line immediately.

For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes, see our LTS 2.138.4 upgrade guide.

In the Jenkins core security updates released in August and October, we also included security improvements that can be disabled by setting various system properties. Those changes are an essential part of the SECURITY-595 fix, so we strongly recommend not disabling them for any reason. Previously published documentation has been updated.

About the author

Daniel Beck

Daniel is a Jenkins core maintainer and member of the Jenkins security team. He was the inaugural Jenkins security officer from 2015 to 2021. He sometimes contributes to developer documentation and project infrastructure in his spare time.