A copy of the release notes can be found below:
This release fixes a number of bugs and addresses several potential security issues:
- Require a unique token for each form request from the GUI, which prevents replay and CSRF attacks
- Updated all pages to prevent unencoded data from being written to the response, preventing XSS style attacks.
- Prevent access to the /api URLs via the web GUI.
- Some plugins (Resource model, Node Executor and File Copier) now support using Password fields displayed in the Project config page. The field values once set are never revealed in clear text via the GUI.
Please see the Notes below for some configuration information related to these changes.
A big Thank You to one of our clients for sponsoring the work for these enhancements.
The new form tokens used in all form requests by default will expire in 30 minutes. This means that if your session timeout is larger than 30 minutes and you attempt to e.g. run a job after your web page has been sitting open for longer than that, you will see an “Invalid token” error. If this becomes a problem for you you can either change the expiration time for these tokens, or switch to using non-expiring tokens. See Administration - Configuration File Reference - Security.
To add a Password field definition to your plugin, see Plugin Development - Description Properties. (Note that currently using property annotations is not supported for the three plugin types that can use Password properties.)
See the Upgrading Guide.
- Andreas Knifh (knifhen)
- Daniel Serodio (dserodio)
- Greg Schueler (gschueler)
- dynamic node filter string incorrectly includes name: prefix
- aclpolicy files are listed in random order in Configure page
- Improve “Authenticating Users” docs re. logging
- Security: allow plugins to specify password properties that are obscured in project config page
- Job Variable Length is too low
- Config toggle: Hide error page stacktrace
- Security: CSRF prevention
- Security: prevent XSS issues
- Cannot pass multiple values to multivalued option with enforced values
- Rundeck 2.1.1 scheduling bug
- Selectively Disable metrics servlets features
- Broken Link in Documentation
- Machine tag style attributes don’t get replaced
- Scheduled job with retry never completes 2.2.1
- API docs state latest version is 11, but it is 12
- NPE: Cannot get property ‘nodeSet’ on null object since upgrade to 2.2.1-1
- Powershell and script-exec - extension problem
- Ldap nestedGroup examples
- “Retry failed nodes” does not seem to work, when using dynamic nodes filters
- UI job status incorrect
- Odd page when not allowing node info access