Upgrading to Jenkins LTS 2.46.x

Each section covers the upgrade from the previous LTS release, the section on 2.46.1 covers the upgrade from 2.32.3.

Upgrading to Jenkins 2.46.3

No notable changes requiring upgrade notes.

Upgrading to Jenkins 2.46.2

New non-remoting CLI

To address security concerns over the use of the remoting-based CLI, the new non-remoting implementation introduced in Jenkins 2.54 was backported to this release of Jenkins, and the remoting CLI mode deprecated.

Users upgrading from older releases of Jenkins will still have the remoting mode enabled. It is recommended to disable the remoting mode after adapting all uses of the Jenkins CLI to work over non-remoting protocols.

A previously downloaded jenkins-cli.jar will continue working unless the remoting mode for the CLI is disabled. A newly downloaded jenkins-cli.jar now also supports the existing SSH mode, and the new HTTP mode for the CLI, and invocations need to pass the new argument -remoting to use remoting mode. This is necessary for some of the commands, typically operating on files or modifying the "current build".

More information about the new CLI implementation:

Invalidation of cached CLI authentication

Due to a vulnerability discovered in the CLI authentication cache, existing cached authentications created before this release will no longer work, and users will need to run the login CLI command again.

The login CLI command is specific to the remoting mode of the CLI.

Several URLs cannot be accessed via GET anymore

To fix a number of CSRF vulnerabilities, URLs of several operations have been changed to only work when receiving requests via POST, possibly requiring a CSRF crumb. Most of these will not have been accessed via GET, but a few might. For example, if you have been accessing the URL /quietDown directly before in your web browser, this will no longer work.

Upgrading to Jenkins 2.46.1

JNLP4 remoting protocol enabled by default

The JNLP4 protocol is now enabled by default for JNLP agent connections. It’s more reliable than JNLP3, and also encrypted, making it the best choice for agent connections. Use of this protocol may require upgrades of slave.jar files on agents.

Obsolete ciphers removed from SSHD

Jenkins exposes an SSH server that allows use of CLI commands via SSH. In this SSH server, support for the obsolete ciphers AES128CBC, TripleDESCBC, and BlowfishCBC has been removed.