Rundeck 2.2.2 is now available

Download Rundeck 2.2.2 now

A copy of the release notes can be found below:

Release 2.2.2

Date: 2014-09-19

This release fixes a number of bugs and addresses several potential security issues:

  1. Require a unique token for each form request from the GUI, which prevents replay and CSRF attacks
  2. Updated all pages to prevent unencoded data from being written to the response, preventing XSS style attacks.
  3. Prevent access to the /api URLs via the web GUI.
  4. Some plugins (Resource model, Node Executor and File Copier) now support using Password fields displayed in the Project config page. The field values once set are never revealed in clear text via the GUI.

Please see the Notes below for some configuration information related to these changes.

A big Thank You to one of our clients for sponsoring the work for these enhancements.

Security Notes:

The new form tokens used in all form requests by default will expire in 30 minutes. This means that if your session timeout is larger than 30 minutes and you attempt to e.g. run a job after your web page has been sitting open for longer than that, you will see an “Invalid token” error. If this becomes a problem for you you can either change the expiration time for these tokens, or switch to using non-expiring tokens. See Administration - Configuration File Reference - Security.

To add a Password field definition to your plugin, see Plugin Development - Description Properties. (Note that currently using property annotations is not supported for the three plugin types that can use Password properties.)

Upgrade notes:

See the Upgrading Guide.


  • Andreas Knifh (knifhen)
  • Daniel Serodio (dserodio)
  • Greg Schueler (gschueler)

Bug Reporters

  • adolfocorreia
  • ahonor
  • arjones85
  • danpilch
  • dennis-benzinger-hybris
  • dserodio
  • garyhodgson
  • gschueler
  • jerome83136
  • knifhen
  • majkinetor
  • rfletcher
  • schicky


comments powered by Disqus