We just released security updates to Jenkins, versions 2.95 and 2.89.2, that fix two security vulnerabilities. For an overview of what was fixed, see the security advisory.
We usually announce core security updates well in advance on the jenkinsci-advisories mailing list, to give Jenkins administrators time to schedule a maintenance. Additionally, we try to align security updates with the regular LTS schedule. We have chosen not to do so in this case for two reasons:
-
The random failure to set up Jenkins is very noticeable, and given that we’ve seen automated exploits for unprotected Jenkins instances in the past we consider it important to fix that issue as soon as possible, so that users setting up new instances of Jenkins can be confident they won’t start up insecurely.
-
The CSRF issue appears to only affect instances for a very short (seconds at most, if at all) time period immediately after startup, so administrators could apply the fix during the next scheduled Jenkins downtime, rather than immediately.