Each section covers the upgrade from the previous LTS release, the section on 2.289.1 covers the upgrade from 2.277.4.
No notable changes requiring upgrade notes.
Jenkins 2.300 and LTS 2.289.2 contain a security fix for a session fixation vulnerability. Due to how the Jenkins API and extension points are structured, it is possible that this fix is not compatible with your chosen security realm.
In case of problems authenticating after applying this update, we recommend setting the Java system property
This will apply an alternative (and possibly more compatible) implementation of the security fix.
It is also possible to disable the fix entirely by setting that system property to
This should only be done as a temporary measure and only when understanding the impact of the security issue in your environment.
Note that some plugins have not been yet to be updated to the new icons style yet. This style was reviewed and approved by the Jenkins UX special interest group. For some configurations, there might be slight degradation in Jenkins look & feel until the icons are updated. Any contributions and suggestions are welcome, please contact the UX SIG if needed.
Certain key Jenkins capabilities were initially created inside the Jenkins core. As Jenkins has developed further, capabilities moved from inside Jenkins core to dedicated Jenkins plugins, like the Ant plugin and the Javadoc plugin. When those plugins were created, the plugins were "bundled" inside the jenkins.war file to retain compatibility for plugins that depended on their functionality to be inside Jenkins core. The Ant plugin and the Javadoc plugin are no longer bundled with Jenkins.
In very rare cases, this could result in problems when attempting to install plugins compatible with Jenkins before 1.430.
If you use a plugin that relies on the functionality provided by the Ant plugin or the Javadoc plugin and manage plugins outside the Jenkins plugin manager, you will now need to ensure yourself that a recent release of those plugins are installed.
Jenkins will attempt to load such plugins but may fail at any time during startup or afterwards with
ClassNotFoundException or similar.
In these cases, the best path forward is usually to modify the plugin that has the problem so that it requires a newer version of Jenkins core.
In this release we detached the SSHD Jenkins core module to a separate SSH Server Plugin. This plugin now provides a built-in SSH server for Jenkins. It’s an alternative interface for the Jenkins CLI, and commands can be invoked this way using any SSH client.
Jenkins core can resolve dependencies on such a detached plugin, so there should be no impact on the majority of users. If you Manage Jenkins Plugins as Code (e.g. via plugins.txt in Docker, Helm charts or Plugin Installation Manager Tool), you might need to explicitly declare the plugin requirement after the upgrade to Jenkins 2.289.1 or above.