There is a newer version of the announcement for Jenkins administrators. Please see this blogpost. Overview JEP-200 has been integrated into Jenkins weekly builds and (if all goes well) will be a part of the next LTS line. In a nutshell, this change is a security hardening measure to be less permissive about deserializing Java classes defined in the Java Platform or libraries bundled with Jenkins. For several years now, Jenkins...

Updated on Jan 10, 2019: The deprecated protocols were removed in Remoting 3.40+ and Jenkins 2.214+. See JENKINS-60381: Remove old for more information and links. There are upcoming changes in Jenkins "core" which may require extra steps when upgrading Jenkins. If you use configuration management for Jenkins agents, please read this announcement carefully. If you have ever seen messages like "Channel is already closed" or "Remote call failed"...

In response to the zero-day vulnerability we fixed in November, I wrote the following: Moving forward, the Jenkins security team is revisiting the design of the Jenkins CLI over the coming weeks to prevent this class of vulnerability in the future. If you are interested in participating in that discussion, please join in on the jenkinsci-dev@ mailing list. In early February, several project contributors met after FOSDEM...