Jenkins regular patching cycle - update to 2.426.2

[sxa]

Current version: 2.414.2
New version: 2.426.2

[sxa]

Update complete. We have left the Azure VM Plugins 825.v470cb_9e7361a_ (Functionaly soon to be obsolete) and Matrix Combinations Plugin 3.1.8 at their previous versions as before since we're close to a release cycle and won't take the risk at this time. perhaps we should re-open that issue? Noting that for both plugins jenkins has a message Warning: The new version of this plugin is marked as incompatible with the installed version. This is usually the case because its behavior changed, or because it uses a different settings format than the installed version. Jobs using this plugin may need to be reconfigured, and/or you may not be able to cleanly revert to the prior version without manually restoring old settings. Consult the plugin release notes for details.

We have also raised #3336 since we have not yet looked into that potential security issue.

As part of the upgrade we started getting additional messages in the log about ambiguous user/group definitions: 2024-01-09 09:55:21.216+0000 [id=45] WARNING o.j.p.m.AuthorizationContainer#add: Processing a permission assignment in the legacy format (without explicit TYPE prefix): hudson.model.Item.Build:AdoptOpenJDK*build - we have set those appropriately. This was done for most of the jobs last year but was now being explicitly flagged after the upgrade for the jenkins defaults.

We need to do an extra push on #2774 to reduce the amount of warnings in the jenkins log file in order to help with being unable to see the wood for the trees :-)

A couple of further notes from the session:

• Rebuilder plugin - Seemingly doesn't have a fix for an exploit in version 330 that could allow DoS by allowing rebuilds without authorization
• A recent change in Pipeline: Nodes and Processes may make stopping and resuming things during a jenkins restart more robust