Linuxeden开源社区
Security Fixes
This release has important security fixes and upgrades to a number of internal components.
This is an especially important upgrade due to two remote code execution vulnerabilities that could allow existing authenticated users with malicious intent to trigger remote code execution on the GoCD Server, within
- the LDAP Authentication Plugin
- use of Mercurial source control materials or configuration repositories
If you are unable to upgrade immediately, you can mitigate the high severity issues by
- removing any authorization configurations for the bundled LDAP Authentication plugin
- if LDAP login is required, consider migrating your configuration to a patched (
v4.2.0-73+) version of the LDAP Authorization Plugin, which supports both authentication and (optional) authorization
- if LDAP login is required, consider migrating your configuration to a patched (
- uninstalling the
hg/Mercurial binary from the underlying GoCD Server operating system or Docker image
Security fixes in this release were due to vulnerabilities responsibly disclosed by Alessio Della Libera (of the Snyk Security Team), Alexey Solovyev (solev9ev) and SuperXX (Xiao Xiong). Many thanks to them for the disclosures, discussions and ideas around mitigation.
Java 17 Support
This release includes compatibility changes within the GoCD Server to support Java 17.
Java 16+ includes a number of restrictions on access to Java Runtime internals that required either GoCD changes or specific “opt-outs” to be included in GoCD server’s start-up arguments. Currently, there are no opt-outs known to be required on GoCD agents.
If you use the regular GoCD start-up scripts, and/or the packaged Java Runtime Environments with our installers and/or Docker images, there is nothing extra you should need to do to run with Java 16+.
Plugin Compatibility with Java 17
GoCD has many plugins and while we have sanity checked many, it is not practical for us to test every plugin. Plugins are also constrained by these Java Runtime restrictions, and if they either rely on access to Java Runtime internals or use libraries that do so, they may experience issues.
If you experience issues with a plugin, or GoCD Server or a GoCD Agent
- try working around the issue by following this guide
- please report the issue, including a full stack trace from the logs
- for plugin issues, on the relevant plugin’s GitHub repository (these are linked from the Author of each plugin in Admin -> Plugins)
- for GoCD Server/Agent issues, on our GitHub issues
- if you are not sure if a plugin or GoCD is at fault, feel free to start a discussion in our GitHub discussions or via the GoCD Google Group
Changes
- #9918 – Upgrade GoCD to run and build with Java 17
- #10025 – Build the default GoCD Server image on Alpine 3.15
- #10153 – Drop source/target compatibility back to Java 11 LTS
- #10071 – Support Bitbucket push webhooks that contain multiple changes
Bug Fixes
- #9902 – Cannot input multiple lines for Perforce material view
- #9927 – Clean working directory sometimes fails on POSIX file systems with GoCD 21.3
- #10086 – GoCD Server fails to start when commit GPG signing is enabled at system/user level
- #10169 – Correct message displayed when agents are stuck cancelling jobs
APIs
Improvements, deprecations and breaking changes in the API and plugin API have been moved to their respective changelogs – API changelog for 22.1.0 and Plugin API changelog for 22.1.0.
Contributors
Alessio Della Libera (of the Snyk Security Team), Alexey Solovyev (solev9ev), Aravind SV, Chad Wilson, Ganesh S Patil, Jeroen Oortwijn, Ketan Padegaonkar, Kritika Singh, Mahesh Panchaksharaiah, Marques Lee, Sandro Heinzelmann, SuperXX (Xiao Xiong)
Note
A more comprehensive list of changes for this release can be found here.
Found a security issue that needs fixing? Please report it to https://hackerone.com/gocd
Please report any issues that you observe on GitHub issues.