Starting from 1.625.1: 1.625.1 is the first Jenkins LTS release that requires Java 7 to run. If you're using the Maven Project type, please note that it needs to use a JDK capable of running Jenkins, i.e. JDK 7 or up. If you configure an older JDK in a Maven Project, Jenkins will attempt to find a newer JDK and use that automatically. If your SSH Slaves fail to start and you have the plugin install the JRE to run them, make sure to update SSH Slaves Plugin to at least version 1.10.
With the Java 7 to run requirement, I want to confirm the following: 1. Jenkins master and all its slave needs to run JDK 7 or above (JDK7 or above to run Jenkins master process and SSH slave to connect needs to run JDK 7 or above). 2. Maven type job then should work because SSH slave already runs JDK 7 or above. 3. However, if the maven project still needs JDK 6, I can still set the JDK in the job configuration or Injecting JAVA_HOME to JDK 6 and it will use JDK 6 to build the pom.xml and project right? Should I try to setup JDK 8 in master and all slaves for 1 & 2. Thank you -Indra On 12/7/15, 11:41 PM, "jenkinsci-users@googlegroups.com on behalf of Christopher Orr" <jenkinsci-users@googlegroups.com on behalf of ch...@orr.me.uk> wrote: >Also note that, if you're planning a Jenkins upgrade anyway, there's >another Jenkins release coming out tomorrow (1.625.3) to fix one or more >new security issues: >https://groups.google.com/forum/#!topic/jenkinsci-advisories/UbJeKl4Vxbw > >So, you may want to apply the CLI workaround from the blog post that >Mark linked to just now, and do a full upgrade tomorrow (or more likely >Thursday, as releases seem to be done in US West Coast working hours). > >Regards, >Chris > > >On 08/12/15 02:09, Mark Waite wrote: >> Yes, based >> on >>https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-exe >>cution-0-day-jenkins-cli , >> that is impacting Jenkins. >> >> The link you posted states that Jenkins is affected. It includes the >> link to the above Jenkins blog posting which describes a remediation you >> can take with your existing Jenkins version, and a statement that >> 1.625.2 includes the fix. If you read those two postings, you'll be >> able to answer your own questions, including describing the bug and its >> vulnerability (whatever that means to you). >> >> Never waste a crisis. In this case, use it as the opportunity to >> upgrade your environment to Java 8 (or at least to Java 7), and to >> install the latest Jenkins long term support release (1.625.2). >> >> Mark Waite >> >> On Mon, Dec 7, 2015 at 5:56 PM Indra Gunawan (ingunawa) >> <ingun...@cisco.com <mailto:ingun...@cisco.com>> wrote: >> >> >>https://blogs.apache.org/foundation/entry/apache_commons_statement_to_wid >>espread >> >> Building on Frohoff's tool ysoserial >> <https://github.com/frohoff/ysoserial>, Stephen Breen (@breenmachine >> <https://twitter.com/breenmachine>) of Foxglove Security inspected >> various products like WebSphere, JBoss, Jenkins, WebLogic, and >> OpenNMS and describes >> >>(http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss- >>jenkins-opennms-and-your-application-have-in-common-this-vulnerability/) >> for each of them various attack scenarios. >> >> Both research works show that developers put too much trust in Java >> Object Serialization. Some even de-serialize objects >> pre-authentication. When deserializing an Object in Java you >> typically cast it to an expected type, and therefore Java's strict >> type system will ensure you only get valid object trees. >> Unfortunately, by the time the type checking happens, platform code >> has already created and executed significant logic. So, before the >> final type is checked a lot of code is executed from the >> readObject() methods of various objects, all of which is out of the >> developer's control. By combining the readObject() methods of >> various classes which are available on the classpath of the >> vulnerable application an attacker can execute functions (including >> calling Runtime.exec() to execute local OS commands). >> >> The best protection against this, is to avoid using a complex >> serialization protocol with untrusted peers. It is possible to limit >> the impact when using a custom ObjectInputStream which >> overridesresolveClass >> >><http://docs.oracle.com/javase/7/docs/api/java/io/ObjectInputStream.html# >>resolveClass%28java.io.ObjectStreamClass%29> to >> implement a whitelist >> approach http://www.ibm.com/developerworks/library/se-lookahead/. >> This might however not always be possible, such as when a framework >> or application server provides the endpoint. This is rather bad >> news, as there is no easy fix and applications need to revisit their >> client-server protocols and overall architecture. >> >> Š >> >> Is this truly impacting Jenkins? Our IT suggests the following >> Jenkins version to upgrade before the end of year shut-down. I want >> to know the impact of this bug, and its vulnerability. >> >> Remediation: >> >> * Jenkins main line users should update to 1.638 >> * Jenkins LTS users should update to 1.625.2 >> >> >> Thank you >> -Indra >> >> -- >> You received this message because you are subscribed to the Google >> Groups "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to jenkinsci-users+unsubscr...@googlegroups.com >> <mailto:jenkinsci-users+unsubscr...@googlegroups.com>. >> To view this discussion on the web visit >> >>https://groups.google.com/d/msgid/jenkinsci-users/D28B6AAB.3D25B%25inguna >>wa%40cisco.com >> >><https://groups.google.com/d/msgid/jenkinsci-users/D28B6AAB.3D25B%25ingun >>awa%40cisco.com?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google >> Groups "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an email to jenkinsci-users+unsubscr...@googlegroups.com >> <mailto:jenkinsci-users+unsubscr...@googlegroups.com>. >> To view this discussion on the web visit >> >>https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtF%3D%2BmqQAdL-5w >>MUJKPrhAZwaQocdyLmyqh9h%3D81MO8Dvg%40mail.gmail.com >> >><https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtF%3D%2BmqQAdL-5 >>wMUJKPrhAZwaQocdyLmyqh9h%3D81MO8Dvg%40mail.gmail.com?utm_medium=email&utm >>_source=footer>. >> For more options, visit https://groups.google.com/d/optout. > >-- >You received this message because you are subscribed to the Google Groups >"Jenkins Users" group. >To unsubscribe from this group and stop receiving emails from it, send an >email to jenkinsci-users+unsubscr...@googlegroups.com. >To view this discussion on the web visit >https://groups.google.com/d/msgid/jenkinsci-users/5666899D.7020708%40orr.m >e.uk. >For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/D2919BA2.3DE2C%25ingunawa%40cisco.com. For more options, visit https://groups.google.com/d/optout.
