# Version 2.2.3
# Release 2.2.3
=============
Date: 2014-09-24
Fix several issues found in 2.2.2:
- 2.2.2: Workflow editor drag/drop or step delete doesn't work (opens new window)
- Documentation: Sudo password option type incorrect: should specify Secure Remote Authentication option (opens new window)
- plugin development: plugin properties using rendering options should allow String values (opens new window)
Release notes from 2.2.2 follow:
This release fixes a number of bugs and addresses several potential security issues:
- Require a unique token for each form request from the GUI, which prevents replay and CSRF attacks
- Updated all pages to prevent unencoded data from being written to the response, preventing XSS style attacks.
- Prevent access to the /api URLs via the web GUI.
- Some plugins (Resource model, Node Executor and File Copier) now support using Password fields displayed in the Project config page. The field values once set are never revealed in clear text via the GUI.
Please see the Notes below for some configuration information related to these changes.
A big Thank You to one of our clients for sponsoring the work for these enhancements.
Security Notes:
The new form tokens used in all form requests by default will expire in 30 minutes. This means that if your session timeout is larger than 30 minutes and you attempt to e.g. run a job after your web page has been sitting open for longer than that, you will see an "Invalid token" error. If this becomes a problem for you you can either change the expiration time for these tokens, or switch to using non-expiring tokens. See Administration - Configuration File Reference - Security (opens new window).
To add a Password field definition to your plugin, see Plugin Development - Description Properties (opens new window). (Note that currently using property annotations is not supported for the three plugin types that can use Password properties.)
Upgrade notes:
See the Upgrading Guide (opens new window).
# Contributors
- Andreas Knifh (knifhen)
- Daniel Serodio (dserodio)
- Greg Schueler (gschueler)
# Bug Reporters
- adolfocorreia
- ahonor
- arjones85
- danpilch
- dennis-benzinger-hybris
- dserodio
- garyhodgson
- gschueler
- jerome83136
- knifhen
- majkinetor
- rfletcher
- schicky
# Issues
- dynamic node filter string incorrectly includes name: prefix (opens new window)
- aclpolicy files are listed in random order in Configure page (opens new window)
- Improve "Authenticating Users" docs re. logging (opens new window)
- Security: allow plugins to specify password properties that are obscured in project config page (opens new window)
- Job Variable Length is too low (opens new window)
- Config toggle: Hide error page stacktrace (opens new window)
- Security: CSRF prevention (opens new window)
- Security: prevent XSS issues (opens new window)
- Cannot pass multiple values to multivalued option with enforced values (opens new window)
- Rundeck 2.1.1 scheduling bug (opens new window)
- Selectively Disable metrics servlets features (opens new window)
- Broken Link in Documentation (opens new window)
- Machine tag style attributes don't get replaced (opens new window)
- Scheduled job with retry never completes 2.2.1 (opens new window)
- API docs state latest version is 11, but it is 12 (opens new window)
- NPE: Cannot get property 'nodeSet' on null object since upgrade to 2.2.1-1 (opens new window)
- Powershell and script-exec - extension problem (opens new window)
- Ldap nestedGroup examples (opens new window)
- "Retry failed nodes" does not seem to work, when using dynamic nodes filters (opens new window)
- UI job status incorrect (opens new window)
- Odd page when not allowing node info access (opens new window)