chore: backporting 2.440.3 #9113
Conversation
krisstern
changed the title
|
JENKINS-69113 / 47ac4a9 seems a bit much as a backport. While it fixes a regression it's not a recent one and not the core purpose of the change, so IMO we can live without it for another month. Thoughts? |
|
I think it will be important to backport the Mina SSHD detached plugin changes to make the scanners happy. Rather than try to figure out how to do a minimal backport, I would recommend simply backporting all bundled plugin updates from trunk. While this includes more than just security fixes, it is tested in the latest weekly and should be safer than an untested surgical/minimal backport in my opinion. |
I agree I think this can be dropped unless anyone has strong opinions on it. |
Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com> (cherry picked from commit 3a07440)
…Remoting (jenkinsci#9012) * [JENKINS-72796] stable context classloader for Computer.threadPoolForRemoting Whilst the threadpool used reset the context classloader at the end of any task, it did not ensure that the initial c;lassloader used was anything sepcific, rather it would use whatever the calling threads contextClassLoader was. This is now fixed as we use the Jenkins WebApp classloader (same as the Timer) which is used by (A)PeriodicTasks. Whilst we should really not have a context classloader (aka null) and this should be set where needed by code, almost everywhere in Jenkins the context classloader is already the webapp classloader, and so setting this to be different depending on how things where called would seemingly be a little scary. Arguably this and other context classloaders should be all set to null and any code that wants different should be changed, but this is a larger piece of work that would have potential impact on an unknown number of plugins in the ecosystem, so this fix uses what was set > 90% of the time. * Update core/src/test/java/hudson/model/ComputerTest.java --------- Co-authored-by: Tim Jacomb <21194782+timja@users.noreply.github.com> (cherry picked from commit 89195cc)
…enkinsci#9009) (cherry picked from commit c7ccbfd)
…enkinsci#9042) Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 5.3.32 to 5.3.33. - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.3.32...v5.3.33) --- updated-dependencies: - dependency-name: org.springframework:spring-framework-bom dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit e9923d3)
…5.8.11 (jenkinsci#9047) Bump org.springframework.security:spring-security-bom Bumps [org.springframework.security:spring-security-bom](https://github.com/spring-projects/spring-security) from 5.8.10 to 5.8.11. - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](spring-projects/spring-security@5.8.10...5.8.11) --- updated-dependencies: - dependency-name: org.springframework.security:spring-security-bom dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 4666cae)
Bump Mina to 2.12.1 Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com> Co-authored-by: Mark Waite <mark.earl.waite@gmail.com> (cherry picked from commit 5e6387a)
krisstern
force-pushed
the
feat/stable-2.440/backporting-2.440.3
branch
from
5b4427a
to
f25c5d0
Compare
|
No problem, just dropped JENKINS-69113 / 47ac4a9 from the LTS |
There was a problem hiding this comment.
Since both @krisstern and @NotMyFault reacted with a thumbs up emoji to #9113 (comment), and nobody had any feedback against it, I have implemented this in commit 387f5a6, tested the same way as #9091. With that having been addressed, the scanners should be happy with everything we are bundling and therefore I am approving this PR.
Latest core version: jenkins-2.448 Postponed --------- JENKINS-68631 Minor 2.446 Hovering over stuck builds hides the progress bar (regression in 2.21) regression https://issues.jenkins.io/browse/JENKINS-68631 Fixed ----- JENKINS-72954 Minor 2.452, 2.440.3 Update Mina SSH to 2.12.1 in Jenkins CLI https://issues.jenkins.io/browse/JENKINS-72954 JENKINS-72900 Minor 2.450, 2.440.3 Update Spring Security to 5.8.11 and Spring Framework to 5.3.33 https://issues.jenkins.io/browse/JENKINS-72900 JENKINS-72856 Minor 2.449, 2.440.3 Update bundled trilead-api to 2.84.86.vf9c960e9b_458 https://issues.jenkins.io/browse/JENKINS-72856 JENKINS-72799 Minor 2.448, 2.440.3 ConsoleLogFilter is not applied to all SlaveComputer logging https://issues.jenkins.io/browse/JENKINS-72799 JENKINS-72796 Minor 2.449, 2.440.3 Computer.threadPoolForRemoting can be poisoned by bad code https://issues.jenkins.io/browse/JENKINS-72796Submitter checklist
Before the changes are marked as
ready-for-merge:Maintainer checklist