These are some contributions by members of the Jenkins security team that weren’t delivered as security fixes, but still are security-related.
Listen on loopback interface: Jenkins (core)
Listen on loopback interface: Maven HPI Plugin
Published Strict Crumb Issuer Plugin
Credentials: Allow credential parameters to shadow credential ids in lookup
Credentials: Support user-scoped credentials in input step
Credentials: Support more credential masking scenarios
Published Extended Security Settings Plugin
CSRF Protection: Remove requirement to have a CSRF crumb for requests with API tokens
CSRF Protection: Make the form that allows resubmission as POST work with CSRF protection enabled
CSRF Protection: Add a new administrative monitor for CSRF protection
Administrative Monitors: Show admin monitors on most URLs
Administrative Monitors: Add configuration for disabling admin monitors