Releases: jenkinsci/script-security-plugin
1269.v639888f5e366
👷 Changes for plugin developers
- JENKINS-71808 -
GenericWhitelistTest#sanityfails on Java 21 (#519) @basil
📦 Dependency updates
- Bump org.jenkins-ci.plugins:plugin from 4.71 to 4.72 (#518) @dependabot
Contributors
Assets 2
1265.va_fb_290b_4b_d34
Security hardening: Jobs saved by administrators will no longer result in unapproved scripts in those configurations being approved. Administrators now need to explicitly approve unapproved scripts, either through the existing UI, or by using the new inline approval button available in script field form validation messages.
The previous behavior resulted in unexpectedly approved scripts when administrators copied jobs or entire folders (approving potentially never seen scripts, similar to the hardening in 1172.v35f6a_0b_8207e), and increased the impact of SECURITY-3106 in the Folders Plugin.
1251.1253.v4e638b_e3b_221
Security hardening: Jobs saved by administrators will no longer result in unapproved scripts in those configurations being saved. Administrators now need to explicitly approve unapproved scripts, either through the existing UI, or by using the new inline approval button available in script field form validation messages.
The previous behavior resulted in unexpectedly approved scripts when administrators copied jobs or entire folders (approving potentially never seen scripts, similar to the hardening in 1172.v35f6a_0b_8207e), and increased the impact of SECURITY-3106 in the Folders Plugin.
1264.vecf66020eb_7d
👷 Changes for plugin developers
- Bump plugin from 4.65 to 4.66 (#508) @dependabot
👻 Maintenance
📦 Dependency updates
- Bump git-changelist-maven-extension from 1.6 to 1.7 (#513) @dependabot
- Bump plugin from 4.68 to 4.71 (#515) @dependabot
- Bump plugin from 4.67 to 4.68 (#511) @dependabot
- Bump plugin from 4.66 to 4.67 (#510) @dependabot
Contributors
Assets 2
1251.vfe552ed55f8d
👷 Changes for plugin developers
📦 Dependency updates
- Bump plugin from 4.62 to 4.65 (#507) @dependabot
- Bump plugin from 4.61 to 4.62 (#499) @dependabot
- Bump plugin from 4.60 to 4.61 (#497) @dependabot
Contributors
Assets 2
1244.ve463715a_f89c
🐛 Bug fixes
- Bump groovy-sandbox from 1.32 to 1.33 (#495) @dependabot
- JENKINS-70080: Fixes
VerifyErrorwhen using compound assignment operators in sandboxed Groovy scripts - jenkinsci/groovy-sandbox#59: Fixes
MissingPropertyExceptionfor closure parameters when using closures in loop condition expressions in sandboxed Groovy scripts
- JENKINS-70080: Fixes
👻 Maintenance
- Use SpotBugs null annotation (#492) @basil
- Add missing nullability annotations (#472) @offa
- Migrate to Spring Security (#470) @offa
📦 Dependency updates
- Bump plugin from 4.54 to 4.60 (#494) @dependabot
- Bump git-changelist-maven-extension from 1.4 to 1.6 (#490) @dependabot
- Bump to 2.361.x (#488) @jglick
Contributors
Assets 2
1229.v4880b_b_e905a_6
🔒 Security
- Fix SECURITY-3016
1228.vd93135a_2fb_25
🐛 Bug fixes
- Fix interception of return statements in closures in sandboxed Groovy scripts (#479) @dwnusbaum
👻 Maintenance
- Reduce reflection in
SecureGroovyScript(#478) @basil - Override getCategory() instead of getCategoryName() (#473) @offa
- Replace deprecated RUN_SCRIPTS with ADMINISTER permission (#471) @offa
📦 Dependency updates
- Bump bom-2.346.x from 1382.v7d694476f340 to 1742.vb_70478c1b_25f (#480) @dependabot
Contributors
Assets 2
1218.v39ca_7f7ed0a_c
🐛 Bug fixes
- JENKINS-42214 - Prevent the Groovy sandbox from using invalid signatures when static class members are accessed via objects instead of class references (e.g.
new String().valueOf(...)instead ofString.valueOf(...)) (#298) @dwnusbaum⚠️ If you had previously approved an invalid signature due to this bug, any code that uses that signature will fail after the update, and the correct signature will need to be approved by a Jenkins administrator