2.504.2 $$$May 28; 2025$$$Enhancement$$$Add telemetry to determine whether a specific URL (/extensionList/) is in use by plugins or can safely be removed in future releases of Jenkins. pull 10423; pull 10505

2.504.1 $$$April 30; 2025$$$$$$Changes since 2.504$$$Major bug fix$$$Only update affected computers when adding/updating/removing nodes instead of reviewing every computer and checking their retention strategy; which can cause performance issues at scale. Ensure number of executors of the built-in node is synced with the number of executors defined in Jenkins after a configuration reload. Ensure computer configuration is updated correctly after updating a node. =$$$Enhancement$$$Upgrade to Winstone 8.7 and Jetty 12.0.19. pull 10451; Jetty 12.0.18 changelog; Jetty 12.0.19 changelog; Winstone 8.6 changelog; Winstone 8.7 changelog$$$Notable changes since 2.492.3$$$Major enhancement$$$Remove the Yahoo! User Interface library. $$$Add experimental Details widget for builds. $$$Enhancement$$$Disable the copy button in insecure contexts. $$$Update the Copy button animation. $$$Remove Commons Discovery from the Jenkins WAR.$$$Add the option to display the Console Output on the build page behind an experimental flag. $$$Wrap app bars on smaller screens. $$$Remove the ability to install as a Windows service from a running Jenkins install. Users wanting this functionality should instead download and install the MSI package.$$$Refresh the interface of Jenkins CLI page.$$$Define Jenkins UI colors in a more perceptually uniform way using OKLCH.$$$Improve the appearance of user avatars in Jenkins. Custom avatars are also available through the Avatar plugin.$$$Improve accessibility and clean up various components.$$$Allow the master key to be stored in a separate location.$$$Add space between the Add/Edit description button and Views bar. $$$Add grouping to Command Palette search results. $$$Add empty state to the Manage Old Data page. $$$Add Cancel button to the Edit description form. $$$Update interrupted build action summary icon.$$$Bug fix$$$Use the correct date in the History widget when a user has configured a dedicated time zone. $$$Form validation for cron schedules included seconds based on the current time; when in fact the trigger fires at minute-granularity slots. $$$Fix occasional failures to write files to Jenkins home directory on Windows servers due to virus scanners. $$$Fix task notification for the rebuild plugin and others. $$$Fix tooltip and console link in the progress bar of jobs in the executors widget.$$$Clarify the displayed message while the build history widget initializes. $$$Fix border radius overlap when multiple lines of view names are displayed. $$$Sort deprecated plugins alphabetically. JENKINS-75341$$$Prevent dynamic plugin installation from registering the same extension twice in some cases.$$$Fix Manage Jenkins nested context menu to stay open when parent menu closes.$$$Fix enableTopButton to insert entry at the top in an f:repeatable.$$$Prevent Java null pointer exception when adapting a keyboard shortcut based on the User-Agent header.

2.492.3 $$$April 2; 2025$$$$$$30$$$$$$0$$$$$$0$$$SECURITY$$$Security fixes. security advisory$$$BUG FIX$$$Clarify the displayed message while the build history widget initializes. JENKINS-75321$$$Upgrade to Jetty 12.0.17 to fix User pages for users with a \ in their username. pull 10344; JENKINS-75278; Jetty 12.0.15 changelog; Jetty 12.0.16 changelog; Jetty 12.0.17 changelog

2.492.2 $$$March 5; 2025$$$Security fixes. security advisory$$$Bug fix$$$Use correct date in the History widget when a user has configured a dedicated time zone. JENKINS-75163$$$Fix notification for `l:task` (regression in 2.481). JENKINS-75265$$$Fix tooltip and console link in progress bar of jobs in the executors widget (regression in 2.480). JENKINS-75259$$$Fix occasional failures to write files to the Jenkins home directory on Windows servers due to virus scanners (regression in 2.491). JENKINS-75255

Enhancement$$$Disable the JnlpSlaveRestarterInstallerTest on ci.jenkins Windows agents.

Changelog for 2.479.3 $$$January 8; 2025$$$Enhancement$$$Upgrade Apache MINA core from 2.0.26 to 2.0.27. JENKINS-75077$$$Bug fix$$$Remove Upgrade Automatically from users with `SystemRead` permissions. JENKINS-73908$$$Fix double-zipped .tgz files so they are no longer mismatched. JENKINS-73942$$$Fix exception error message about hudson.model.UpdateSite$Warning on Manage Jenkins that may be shown when plugins with known security issues are installed. JENKINS-73487$$$Fix double-escaped tooltips in Help for feature (regression in 2.380). JENKINS-73907

Changelog for 2.479.2 $$$November 27; 2024$$$$$$39$$$$$$3$$$$$$1$$$Community reported issues: 1×JENKINS-74943$$$Looking to upgrade?$$$Check the Upgrade Guide for assistance$$$Security$$$Important security fix. security advisory$$$Enhancement$$$Upgrade Script Security plugin to 1368.vb_b_402e3547e7. Script Security 1368.vb_b_402e3547e7 includes a fix for SECURITY-3447. pull 9970; JENKINS-74852; Script Security plugin 1368.vb_b_402e3547e7 release notes$$$Bug fix$$$Upgrade XStream to 1.4.21. XStream 1.4.21 includes a fix for CVE-2024-47072. JENKINS-74826$$$Do not add jobs created via the REST API to the default view (regression in 2.475). JENKINS-74795$$$Allow context classloaders to be defined without making explicit reference to the calling class. JENKINS-74814

2.479.1 $$$October 30; 2024$$$Changes since 2.479$$$Major bug fix$$$Migrate from http://updates.jenkins-ci.org to https://updates.jenkins.io if the initial installation version was 2.76 or older. JENKINS-73760$$$Bug fix$$$Restore compatibility with plugins calling Jenkins#doSafeRestart(StaplerRequest; String). JENKINS-73838$$$Restore compatibility with plugins contributing new views with custom XML; such as the Nested Views plugin. JENKINS-73801$$$Wrap long lines in the build history. JENKINS-73437$$$Prevent an old version of ASM from appearing as a managed dependency in plugin builds. JENKINS-73867$$$Update ASM to 9.7.1 to match the most recent release of the ASM API and Jenkins ASM API plugin. JENKINS-73917$$$Do not allow builds to be deleted while they are still building. Ensure build discarders only process builds which have fully completed. JENKINS-73835$$$Allow null to be passed as the first argument to doSafeRestart. pull 9882$$$Notable changes since 2.462.3$$$Major enhancement$$$Require Java 17 or newer. pull 9358; JENKINS-67907; Java 17 requirement blog post$$$Upgrade Spring Framework from 5.3.39 to 6.1.14; upgrade Spring Security from 5.8.14 to 6.3.4; and upgrade Java EE from 8 to 9. Users of the LDAP plugin must upgrade to version 733.vd3700c27b_043 in combination with upgrading Jenkins core. Users of the CAS plugin must upgrade to version 1.7.0 in combination with upgrading Jenkins core. Users of third-party servlet containers must upgrade their servlet container to an EE 9 version in accordance with the Jenkins Servlet Container Support Policy. Spring Framework 6.0.23 release notes; Spring Framework 6.1.12 release notes; Spring Framework 6.1.13 release notes; Spring Framework 6.1.14 release notes; Spring Security 6.2.6 release notes; Spring Security 6.3.2 release notes; Spring Security 6.3.3 release notes; Spring Security 6.3.4 release notes; Jarkata EE 9 release page; LDAP plugin 733.vd3700c27b_043; CAS plugin 1.7.0; Servlet Container Support Policy; pull 9672; JENKINS-73278$$$Upgrade Jetty from 10.0.24 to 12.0.12. pull 9590; JENKINS-73130; Jetty 12.0.10 release notes; Jetty 12.0.11 release notes; Jetty 12.0.12 release notes$$$Allow all builds to be removed by the build discarder. JENKINS-68822$$$Remove Windows path traversal vulnerability escape hatch that was provided with the SECURITY-2481 fix.. pull 9387; JENKINS-73129; Path traversal vulnerability on Windows - SECURITY-2481$$$Major bug fix$$$Fix download of .tar.gz artifacts in Firefox. JENKINS-73381$$$Enhancement$$$Enhancements and refinements for the appearance of several pages in Jenkins. pull 9521; pull 9707; pull 9461; pull 9411; pull 9393; pull 9381$$$Refinements and modernizations to sections of the Jenkins UI. pull 9453; pull 9380; pull 9365; pull 9395; pull 9641$$$User properties are now categorized in different pages. JENKINS-69869$$$Update the design of the build history widget. pull 9148$$$Use Notice component for views lacking jobs. pull 9724$$$Do not edit unrelated checkboxes in rowSelectionController. JENKINS-73669$$$Improve display of HTTP handshake errors (such as authentication issues) from the CLI in -webSocket mode. pull 9591$$$Use webSocket in the inbound agent command line sample. pull 9665$$$Allow plugins to customize the maximum number of suggestions in autocomplete text fields. pull 9616$$$Remove obsolete RekeySecretAdminMonitor. JENKINS-73597$$$Use makeButton to create a jenkins-button on the fly instead of using YUI. JENKINS-73563$$$Clarify that the plugin incompatibility message applies to the current plugin. JENKINS-73495$$$Add end of life dates for Alpine 3.20; Ubuntu 24.04; and Fedora 40. Correct several end of life dates; including CentOS 8. pull 9501$$$Avoid unnecessary download of bundled plugins during the setup wizard. pull 9476$$$Scroll fields from the added hetero-list entry into the viewport. pull 9488$$$Modernize the build time trend page with a time since column and a link to the console; and allow the table to be resized. Remove the agent column for

Changelog for 2.462.3 $$$October 2; 2024$$$Security$$$Security fixes. security advisory$$$Major bug fix$$$No longer printing verbose and uninformative messages to $JENKINS_HOME/logs/tasks/Periodic background build discarder.log. JENKINS-73692$$$Enhancement$$$Upgrade Winstone from 6.18 to 6.22. Upgrade Jetty from 10.0.20 to 10.0.24. Winstone 6.19 release notes; Winstone 6.20 release notes; Winstone 6.21 release notes; Winstone 6.22 release notes; Jetty 10.0.21 release notes; Jetty 10.0.22 release notes; Jetty 10.0.23 release notes; Jetty 10.0.24 release notes; pull 9698; JENKINS-73743$$$Developer: Add ExtendedReadRedaction extension point to allow plugins to redact content from config.xml files served via API or CLI to users with Extended Read permission. SECURITY-3373$$$Bug fix$$$Fix the appearance of the Plugin Manager actions dropdown. JENKINS-73668$$$Add escape hatch for Authenticated user access to Resource URL. JENKINS-73422

2.462.2 $$$September 4; 2024$$$$$$Enhancement$$$Form validation now works for SecretTextArea fields. JENKINS-73404$$$Upgrade Spring Framework from 5.3.37 to 5.3.39. Spring Framework 5.3.38 and 5.3.39 include 8 fixes and improvements. Spring Framework 5.3.38; Spring Framework 5.3.39; JENKINS-73622$$$Upgrade Spring Security from 5.8.13 to 5.8.14. Spring Security 5.8.14 includes 2 fixes and several dependency updates. Spring Security 5.8.14; JENKINS-73648$$$Upgrade JUnit plugin to 1296.vb_f538b_c88630. Junit plugin 1296.vb_f538b_c88630 release notes$$$Bug fix$$$Change icon size in table when resizing the table. JENKINS-73453$$$Fix New Item page layout if no icon is defined for an item (regression in 2.453). JENKINS-73586

Whats new in 2.462.1 (2024-08-07) $$$41 sunny1 cloudy1 storm$$$Community reported issues: 1×JENKINS-73593$$$permalink to this entry$$$$$$Changes since 2.462:$$$ Important security fixes. (security advisory)$$$ Upgrade Spring Security from 5.8.12 to 5.8.13. Spring Security 5.8.13 includes 19 fixes and improvements. (Spring Security 5.8.13; pull 9398)$$$ Upgrade Spring Framework from 5.3.36 to 5.3.37. Spring Framework 5.3.37 includes 5 fixes and improvements. (Spring Security 5.3.37; pull 9385)$$$ Upgrade bundled plugins. (pull 9386; pull 9419; pull 9439; pull 9444; pull 9429; pull 9464)$$$Notable changes since 2.452.4:$$$ Upgrade Commons FileUpload from 1.5 to 2.0.0-M2. Users of the SAML Single Sign On (SSO) (miniorange-saml-sp) plugin should upgrade to a compatible version in lockstep with upgrading Jenkins core. Users of the OpenText Application Automation Tools (hp-application-automation-tools-plugin) plugin should wait for a compatible version before upgrading Jenkins core. (Apache Commons 2.0.0-M2 release notes)$$$ Refresh the New item page. (pull 9111)$$$ Move Add description to app bar. (pull 9271)$$$ Add download option to Console output; move View as plain text and Copy buttons to app bar. (pull 9169)$$$ Remove Disable project button from project view. (pull 9287)$$$ Refresh the style of alerts. (pull 9115)$$$ Improve the edit build information page. (pull 9132)$$$ Avoid jumping layout due to tooltips. (issue 73158)$$$ Refine button appearances in sidebars; menus; pages and breadcrumbs. (pull 9367)$$$ Adjust heading weights and sizes. (pull 9366)$$$ Display how many users there are on the Users page. (pull 9221)$$$ Improve the performance of JSON parsing. (json-lib PR 30)$$$ Improve the performance of file compression and decompression. (pull 9312)$$$ Improve startup performance when jobs have been created via REST API or command line interface. (issue 64356)$$$ Remove ASM dependencies from core. (issue 73046)$$$ The webappsDir argument to run Winstone with a directory full of WAR files has been removed without replacement. (Winstone 6.19 changelog)$$$ Allow pipeline jobs to run when built-in node is offline. (issue 53958)$$$ Adjust side panel sizes for certain screens like iPad Pro. (issue 70246)$$$ Installed plugin view no longer jumps during first load. (issue 69588)$$$ Fix status icon animation display on Safari. (issue 72845)$$$ Remove tooltip when a widget is refreshed. (issue 72744)$$$ Honor readonly mode when displaying enumerations on pages. (issue 72854)$$$ After reconfiguring a static inbound agent in the GUI using fields such as WebSocket; deprecated in 2.440.x; the suggested launch instructions would incorrectly include tunnel (with no argument) even if that field had been left blank. (issue 73011)$$$ Fix the WorkspaceCleanupThread to consider workspaces with suffixes even if the original is nonexistent. Reduce the number of remoting calls made by WorkspaceCleanupThread. (issue 65829)$$$ Work around an upstream issue that could cause a hang in rare cases when two users load a configuration screen of the same type at the same time. (issue 60997)$$$ Handle svg cleanup via an xml document to avoid broken symbols. (issue 73156)$$$ Treat lines of text (mainly in build logs) as completed by a single carriage return in addition to a newline or carriage return plus newline; avoiding an out of memory error if a large number of such lines are printed in sequence. (issue 73090)$$$ Add new CSS classes to avoid conflicts with CSS classes from bootstrap. (issue 73114)

Whats new in 2.452.3 (2024-07-10) $$$permalink to this entry$$$$$$ Show help text in the correct locale even if user has an alternate language option defined in their browser (regression in 2.444). (issue 73246)$$$ Correctly highlight alerts (regression in 2.452.2). (issue 73301)$$$ Show correct build history panel even when a $ character is included in a tooltip of the build history data. Quote replacement string in symbol tooltips. (issue 73243)$$$ Update bundled structs plugin to 338.v848422169819. (Structs 338.v848422169819 release notes; SECURITY-3371)

Whats new in 2.452.2 (2024-06-12) $$$$$$ Rename CloudSet query parameter type to cloudDescriptorName to avoid conflicts in cloud plugin implementations. (issue 72622)$$$ Update bundled Script Security plugin from 1335.vf07d9ce377a_e to 1336.vf33a_a_9863911. (Script Security 1336.vf33a_a_9863911 release notes)$$$ Update bouncycastle API plugin from 2.30.1.77-225.v26ea_c9455fd9 to 2.30.1.78.1-233.vfdcdeb_0a_08a_a_. (Bouncy Castle API plugin 2.30.1.78.1-233.vfdcdeb_0a_08a_a_ release notes)$$$ Add new CSS classes to avoid conflicts with CSS classes from bootstrap. (issue 73114)$$$ Fix width of weather icons in Safari when zoomed. (issue 73047)

Whats new in 2.452.1 (2024-05-15) $$$Community reported issues: 2×JENKINS-73185$$$permalink to this entry$$$$$$Changes since 2.452:$$$ After reconfiguring a static inbound agent in the GUI using fields such as WebSocket (deprecated in 2.440.x); the suggested launch instructions would incorrectly include -tunnel (with no argument); even if that field had been left blank. (issue 73011)$$$ If the variant plugin is installed at the same time as a plugin that has an OptionalExtension; these extensions would not be correctly discovered until the next scan for new Extensions. (issue 72998)$$$ Upgrade Spring Framework BOM from 5.3.33 to 5.3.34. (Spring Framework Bom 5.3.34 release notes)$$$Notable changes since 2.440.3:$$$ Remove the People view. Administrators can install the new People View plugin to restore this functionality. (issue 18884; pull 9060; People View plugin)$$$ Add specific temporary files to the Debian package for better support of Unix domain sockets. Require Debian 10 and Ubuntu 20.04 as the minimum supported versions for Debian packages. (pull 456 (packaging); Packaging issue 455)$$$ Allow recursive remote file copy even if the local and remote nodes have incompatible character sets at binary level such as ISO-8859-1 and CP-1047. (issue 72540)$$$ Modernize progress bar UI in various locations. (issue 69113)$$$ Add components for dropdown items. Refer to the new Design Library Dropdowns page for implementation details. (pull 8827)$$$ Use the symbol for parameters in the build history of pending jobs. (pull 8977)$$$ Add a copy to clipboard button to the build console output. (pull 8960)$$$ Enable readonly mode for dropdown menus when using the Extended Read Permission plugin. (pull 8955)$$$ Remove the extra margin when viewing in read only mode. (pull 8938)$$$ Add a computer icon legend and a new icon for agents that are not accepting tasks. (issue 69191)$$$ Remove unused material icons. (pull 8831)$$$ Localize the Appearance link and plain text Markup Formatter for Turkish. (pull 9067; pull 9062)$$$ Make the Agent/Provision permission available in the global Security configuration when using matrix-based authorization strategies. (issue 72637)$$$ Do not configure an authenticator during proxy configuration via the GUI if the proxy username is blank. (pull 8990)$$$ Add ability for custom update centers to override the suggested plugin list. (pull 8951)$$$ Create an index page for heap dump creation. (pull 8929)$$$ Non-Pipeline builds interrupted by a controller restart will now be marked as aborted rather than failed. (pull 8986)$$$ Prevent authenticated access to Resource Root URL. (issue 72636)$$$ Update operating system end of life data for Amazon Linux; Alpine Linux; and Fedora Linux. (pull 8864)$$$ Use jlink to reduce Java size on Windows as weve done previously for Java on Linux. (pull 1848 (Docker))$$$ Support Session ID for External Job Monitor to avoid HTTP 503 response. (pull 8825)$$$ Do not attempt to self-restart on operating systems where this is not supported. (issue 72833)$$$ Fix a crash when restarting Jenkins on macOS. (issue 65911)$$$ Set the correct owner for Jenkins.clouds after Jenkins.load(). (pull 8976)$$$ Improve locale parsing for loading of localised help files. (issue 72627)$$$ Support noCertificateCheck with webSocket on the CLI. (issue 72532)$$$ Show an error message in progressive logs on 4xx status codes. (issue 72509)$$$ Avoid a stack trace from ArtifactArchiver when no artifacts are found. (issue 71700)$$$ Restore performance displaying build artifacts when using remote artifact managers such as in S3. A security fix in 2.394 caused a substantial slowdown that is now resolved. (pull 8874)$$$ Adjust heap dump file name for compatibility with OpenJDK file suffix requirements. (issue 72579)$$$ Fix build button rendering for Dashboard View plugin. (pull 8854)$$$ Change focus in the new item page only if from has a valid job name. (issue 66530)

Whats new in 2.440.3 (2024-04-17) $$$383 sunny0 cloudy0 storm$$$permalink to this entry$$$$$$ Security fix. (security advisory)$$$ Ensure threads in the Computer.threadPoolForRemoting executor service always have the Jenkins webapp ClassLoader set as the context ClassLoader to prevent random class loading issues when code is running in this ExecutorService. (issue 72796)$$$ Customization of agent log files did not work for inbound agents. (issue 72799)$$$ Update Spring Security to 5.8.11. Update Spring Framework to 5.3.33. (pull 9042; Spring Security 5.8.11 release notes; Spring Framework 5.3.33 release notes)$$$ Update bundled Trilead API Plugin to 2.84.86.vf9c960e9b_458. (Trilead API 2.84.86.vf9c960e9b_458 release notes)$$$ Update Apache Mina in the CLI from 2.11.0 to 2.12.1. (Mina 2.12.1 release notes)$$$ Upgrade bundled plugins. (pull 8914; pull 8961; pull 8988; pull 9018; pull 9036; pull 9091; pull 9098; pull 9103)

Changes since 2.426:$$$ Show form validation results for form elements that are initially hidden. Remove previous form validation errors when the form validation is updated with new content (regression in 2.355). (issue 71252; issue 70793)$$$ Fix multibranch Pipeline Add source and other uses that mix inputs and buttons (regression in 2.422). (issue 72170)$$$ Add sleep call when -noReconnect is not specified for Kubernetes agents. (Remoting PR 675)$$$ Add proxy support for Remoting. (issue 65368)$$$ Fix agent allocation due to label issue detected by vSphere Cloud plugin (regression in 2.421). (issue 71937)$$$ Fix drag and drop handle for existing repeatables (regression in 2.335). (issue 72189)$$$ Add telemetry for Jenkins uptime. (issue 72248)$$$ Upgrade Winstone from 6.12 to 6.14. This includes the upgrade of Jetty from 10.0.15 to 10.0.17. The Jetty upgrade includes fixes for several CVEs. (Winstone 6.13 changelog; Winstone 6.14 changelog; Jetty 10.0.16 changelog; Jetty 10.0.17 changelog; CVE-2023-44487)$$$ Show the description of boolean build parameter values on the Parameters view (regression in 2.179). (issue 72179)$$$ Allow clouds to be reordered. This was previously possible; but disappeared when the cloud management was moved to a separate page (regression in 2.403). (issue 72020)$$$ Update SnakeYAML plugin to 2.2 to silence security scanners. (issue 70994)

Whats new in 2.414.3 (2023-10-18) $$$74 sunny2 cloudy9 storm$$$Community reported issues: 2×JENKINS-71763 1×JENKINS-71693 1×JENKINS-72327$$$Short tags (without jdk in them) such as jenkins/jenkins:2.414.3-alpine are using Java 17 and not Java 11 like previously. If you need to keep using Java 11; use tags like jenkins/jenkins:2.414.3-jdk11. Also note that two new tags (2.414.3-alpine-jdk17 & 2.414.3-slim-jdk17) have been published without any content change a week later than the original ones.$$$ Important security fix. (security advisory)$$$ Use Java 17 as the default Java version in container images that do not specify a Java version in the container label. (Docker pull request 1724)$$$ Update commons-compress from 1.23.0 to 1.24.0. (Apache Commons Compress 1.24.0 Release Notes)$$$ Do not create a large number of threads when making numerous HTTP requests. (issue 72016)$$$ Reduce high memory usage from XStream2.AssociatedConverterImpl (regression in 2.405). (issue 72076)$$$ Add telemetry collecting basic information about the security configuration. (issue 71996)$$$ Upgrade Winstone from 6.12 to 6.14. This includes the upgrade of Jetty from 10.0.15 to 10.0.17. The Jetty upgrade includes fixes for several CVEs. (Winstone 6.13 changelog; Winstone 6.14 changelog; Jetty 10.0.16 changelog; Jetty 10.0.17 changelog; CVE-2023-44487)$$$ Restore context menus of model links in build history views and administrative monitors (regression in 2.402). (issue 71890)

Whats new in 2.414.2 (2023-09-20) $$$63 sunny1 cloudy4 storm$$$Community reported issues: 1×JENKINS-71763$$$ Important security fixes. (security advisory)$$$ Add allow-same-origin to the sandbox Content-Security-Policy directive of workspace and artifact browsers if the Resource Root URL feature is not used. Allow requests to resources like stylesheets and images; even if a reverse proxy prohibits cross-site requests. (issue 71366)$$$ The plain text console log will still be printed even if some console annotations are corrupt. (issue 61452)$$$ New login page breaks login-theme-plugin (regression in 2.404). (issue 71238)$$$ Fix invalid CSS which caused some buttons to become invisible on hover (regression in 2.402). (issue 71238)