<?xml version="1.1" encoding="UTF-8" ?>
Each section covers the upgrade from the previous LTS release, the section on 2.107.1 covers the upgrade from 2.89.4.
The Jenkins user database now restricts user names for user signup. Only alphanumeric, dash, and underscore characters are allowed.
To change what user names are legal, set the system property hudson.security.HudsonPrivateSecurityRealm.ID_REGEX to a regular expression that any legal user name must match.
No notable changes requiring upgrade notes.
To prevent further security issues related to unsafe deserialization of Java objects, we switched to a whitelist for Remoting (the communication library mostly used between agents and master) and XStream (the XML serialization library). This change means that only classes considered to be safe to (de)serialize will now be (de)serialized.
See the announcement blog post for update guidelines. Many plugins require updates to be compatible with this new restriction (list), please read the guide carefully.
Jenkins now creates XML 1.1 files to be more accepting of unusual contents. The XML processing instruction in those XML files will now indicate the version 1.1 instead of 1.0 as before:
<?xml version="1.1" encoding="UTF-8" ?>
This change may result in Jenkins refusing to load or parse malformed files differently from previous releases: For example, we have received a report (JENKINS-50126) that it now refuses to load XML files from disk that do not start with an XML processing instruction, but instead with a line break (empty line).
Previous versions of Jenkins cannot read XML 1.1 files, so downgrading Jenkins to an earlier release will result in errors.
In many cases, it should be sufficient to just replace 1.1 with 1.0 to make them readable again, but note that downgrades of Jenkins are generally unsupported.
In previous releases, updating jobs and views by XML left fields at their old value if not defined in the new XML file that the job or view is being updated with.
This long-standing bug has now been fixed, and Jenkins will reset unspecified fields to their default value, instead of retaining the previously defined value.
This impacts the Remote API (POST config.xml), the CLI (update-job and similar commands), and any plugins using the same mechanisms, such as Job DSL Plugin.
It is no longer necessary to provide a CSRF crumb when sending an HTTP request with Basic authentication that provides the authenticating user’s API token in place of a password.
This is a list of confirmed regressions introduced in this release.
JENKINS-49392: Some job configuration forms may fail to load if Violations Plugin is installed.
JENKINS-47736: Some Plugins affected by fix for JEP-200 may be not fixed yet.
Check the linked page for the up-to-date state and workarounds.