ANN: JEP-200 - Class serialization rules hardening in Jenkins LTS 2.107.1+, please read upgrade guidelines

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

ANN: JEP-200 - Class serialization rules hardening in Jenkins LTS 2.107.1+, please read upgrade guidelines

Oleg Nenashev
Dear Jenkins users,

As you probably know, in Jenkins 2.107.1 we are going to introduce a serious security hardening change. XStream and Remoting blacklists will be replaced by whitelists, so that Jenkins will become more restrictive about class serialization over the channel. You can find more technical details about this change in this blogpost.

Before upgrading to the new LTS, make sure to read the Upgrade Guidelines. There are about 50 plugins affected, so it is important to carefully read the guidelines and follow the upgrade procedure. More information will be posted soon in an additional blogpost.

There are the following steps to perform during the upgrade:
  1. Read https://jenkins.io/blog/2018/01/13/jep-200
  2. Backup your instance
  3. Update all affected plugins , apply workarounds for non-released patches if needed
  4. Monitor your instance to ensure that there is no unknown regressions
    1. Focus on build logs and system logs, events with the link to "https://jenkins.io/redirect/class-filter/" are likely related to JEP-200
    2. Report issues (if any) with the "JEP-200" label
    3. Apply workarounds or patches provided by JEP-200 maintainers
In order to simplify the migration, we also have assembled short guidelines about upgrading to JEP-200. You can find these guidelines here:
  • Slidedeck: https://speakerdeck.com/onenashev/jenkins-jep-200-status-update-and-heads-up
  • Video: https://www.youtube.com/watch?v=Vfnc9t1RuYA
If you need any additional information or assistance, please do not hesitate to respond to this thread.

Best regards,
Oleg Nenashev

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/8899fca8-5ae4-49f6-94be-459e4ff55013%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.