We just released security updates to Jenkins, versions 2.154 and LTS 2.150.1, that fix multiple security vulnerabilities. Since 2.150.1 is the first release in the new LTS line, we also released 2.138.4, a security update for the previous LTS line. This allows administrators to install today’s security fixes without having to upgrade to the new LTS line immediately.
For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes, see our LTS 2.138.4 upgrade guide.
A note on previously released changes related to this fix
In the Jenkins core security updates released in August and October, we also included security improvements that can be disabled by setting various system properties. Those changes are an essential part of the SECURITY-595 fix, so we strongly recommend not disabling them for any reason. Previously published documentation has been updated.