Each section covers the upgrade from the previous LTS release, the section on 2.375.1 covers the upgrade from 2.361.4.
multipart/form-data
requestsA security fix for a DoS vulnerability when parsing multipart/form-data
request bodies introduces limits for the number of request parts that can be processed.
By default, these limits are 1000.
Some Jenkins forms can be very complex, and these limits apply to all fields and not just fields representing uploaded files.
As a result, legitimate submissions of complex forms that include (possible) file uploads may be affected by these limits.
If that happens, these limits can be changed by setting the Java system properties hudson.util.MultipartFormDataParser.FILEUPLOAD_MAX_FILES
and org.kohsuke.stapler.RequestImpl.FILEUPLOAD_MAX_FILES
to a bigger value, or to -1
to completely disable them.
No notable changes requiring upgrade notes.
No notable changes requiring upgrade notes.
Since Jenkins 2.361.1, there have been several Winstone and Jetty updates. Jenkins has updated its Winstone version all the way from 6.1 to 6.6, and the Jetty version has been updated from 9.4.46.v20220331 to 10.0.12.
The Winstone and Jetty updates include upgrades that users should perform.
When upgrading Winstone to 6.1 and Jetty to 10.0.11, some flags have been modified. Support for OpenSSL-style PEM-encoded RSA private keys has been removed when running Jenkins with the embedded Jetty (Winstone) container and TLS.
Specifically, the --httpsPrivateKey
and --httpsCertificate
flags have been removed in favor of the --httpsKeyStore
flag.
The removed flags have printed deprecation warnings since 2016 and were implemented with non-standard APIs that have since been removed from Java 17.
The recommendation is to migrate to the --httpsKeyStore
option, which takes a keystore as described in the documentation.
As of JEP 229, PKCS12 is the recommended keystore type.
Additionally, the --toolsJar
and --useJasper
flags have been removed, because they no longer serve a purpose with Java 11 or newer.
--ajp13Port
and --ajp13ListenAddress
have been removed, they are obsolote since Jetty 9, which has been released 6 years ago.
Finally, the handler count flags --handlerCountMax
and --handlerCountMaxIdle
have been removed, after being deprecated for 4 years doing nothing.
The Winstone 6.6 and Jetty 10.0.12 update makes it so that a previously added --extraLibFolder
option for use with HTTP/2, can now be removed.