alecharp
diff --git a/‎.github/comment-ops.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/comment-ops.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/release-drafter.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/release-drafter.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/announce-lts-rc.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/announce-lts-rc.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/changelog.yml‎
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/changelog.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎.github/workflows/publish-release-artifact.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/publish-release-artifact.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/require-changelog-label.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/require-changelog-label.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ath.sh‎
Lines changed: 1 addition & 1 deletion b/‎ath.sh‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bom/pom.xml‎
Lines changed: 4 additions & 4 deletions b/‎bom/pom.xml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎core/src/main/java/hudson/AboutJenkins.java‎
Lines changed: 13 additions & 0 deletions b/‎core/src/main/java/hudson/AboutJenkins.java‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎core/src/main/java/hudson/FilePath.java‎
Lines changed: 43 additions & 6 deletions b/‎core/src/main/java/hudson/FilePath.java‎
Lines changed: 43 additions & 6 deletions
@@ -1,4 +1,8 @@
 commands:
+  close:
+    enabled: true
+  reopen:
+    enabled: true
   label:
     enabled: true
   removeLabel:
 
@@ -1,5 +1,5 @@
 # Configuration for Release Drafter: https://github.com/toolmantim/release-drafter
-_extends: .github
+_extends: github:jenkinsci/.github:/.github/release-drafter.yml
 # We use the 2-digit versioning in Jenkins weekly releases.
 version-template: $MAJOR.$MINOR
 name-template: $NEXT_MINOR_VERSION
 
@@ -10,14 +10,14 @@ jobs:
     if: ${{ github.repository_owner == 'jenkinsci' }}
     steps:
       - name: Post on Discourse
-        uses: roots/discourse-topic-github-release-action@c30dc233349b7c6f24f52fb1c659cc64f13b5474 # v1.0.1
+        uses: roots/discourse-topic-github-release-action@557d74ea05b6cc0c47f555c1d5d28a89d904005b # v1.1.0
         with:
           discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
           discourse-base-url: https://community.jenkins.io/
           discourse-author-username: jenkins-release-bot
           discourse-category: 23
       - name: Post on mailing list
-        uses: dawidd6/action-send-mail@ba302ba66e88942841281c984a6b31ca6d6289e6 # v11
+        uses: dawidd6/action-send-mail@d38f3f7cd391cdebfe0d38efc3998b935e951c4f # v16
         with:
           server_address: smtp.gmail.com
           server_port: 465
 
@@ -24,16 +24,16 @@ jobs:
       # Drafts your next Release notes as Pull Requests are merged into "master"
       - name: Generate GitHub Release Draft
         id: release-drafter
-        uses: release-drafter/release-drafter@6db134d15f3909ccc9eefd369f02bd1e9cffdf97 # v6.2.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
       # Generates a YAML changelog file using https://github.com/jenkinsci/jenkins-core-changelog-generator
       # used by Oleg N in open graph generator experiment for now
       - name: Generate YAML changelog draft
         id: jenkins-core-changelog-generator
         uses: jenkinsci/core-changelog-generator@feb124ed2262f8586ac4561348436afb965812e1 # v2.2.2
-        env:
-          GITHUB_AUTH: github-actions:${{ secrets.GITHUB_TOKEN }}
+        with:
+          token: github-actions:${{ secrets.GITHUB_TOKEN }}
       - name: Upload Changelog YAML
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
@@ -44,7 +44,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'jenkinsci'
     steps:
-      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
           app-id: ${{ secrets.JENKINS_CHANGELOG_UPDATER_APP_ID }}
 
@@ -74,7 +74,7 @@ jobs:
           wget -q https://get.jenkins.io/${REPO}/${PROJECT_VERSION}/${FILE_NAME}
       - name: Upload Release Asset
         id: upload-war
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -109,7 +109,7 @@ jobs:
       - name: Upload Release Asset
         id: upload-deb
         if: always()
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -146,7 +146,7 @@ jobs:
       - name: Upload Release Asset
         id: upload-rpm
         if: always()
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -182,7 +182,7 @@ jobs:
       - name: Upload Release Asset
         id: upload-msi
         if: always()
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
 
@@ -12,7 +12,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1
+      - uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5.5.2
         with:
           mode: minimum
           count: 1
 
@@ -6,7 +6,7 @@ set -o xtrace
 cd "$(dirname "$0")"
 
 # https://github.com/jenkinsci/acceptance-test-harness/releases
-export ATH_VERSION=6587.v2a_7493c89346
+export ATH_VERSION=6605.vef11d34eec91
 
 if [[ $# -eq 0 ]]; then
 	export JDK=21
 
@@ -41,7 +41,7 @@ THE SOFTWARE.
     <commons-fileupload2.version>2.0.0-M5</commons-fileupload2.version>
     <groovy.version>2.4.21</groovy.version>
     <jelly.version>1.1-jenkins-20250731</jelly.version>
-    <stapler.version>2076.v1b_a_c12445eb_e</stapler.version>
+    <stapler.version>2079.v5849a_9f19b_da_</stapler.version>
   </properties>
 
   <dependencyManagement>
@@ -63,15 +63,15 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.springframework</groupId>
         <artifactId>spring-framework-bom</artifactId>
-        <version>6.2.16</version>
+        <version>7.0.6</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
       <dependency>
         <!-- https://docs.spring.io/spring-security/reference/6.3/getting-spring-security.html#getting-maven-no-boot -->
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-bom</artifactId>
-        <version>6.5.8</version>
+        <version>7.0.4</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -327,7 +327,7 @@ THE SOFTWARE.
         <!-- provided by jcl-over-slf4j -->
         <groupId>commons-logging</groupId>
         <artifactId>commons-logging</artifactId>
-        <version>1.3.5</version>
+        <version>1.3.6</version>
         <scope>provided</scope>
       </dependency>
     </dependencies>
 
@@ -1,12 +1,14 @@
 package hudson;
 
+import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.model.ManagementLink;
 import hudson.security.Permission;
 import java.net.URL;
 import jenkins.model.Jenkins;
 import org.jenkinsci.Symbol;
 import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.DoNotUse;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 /**
@@ -52,4 +54,15 @@ public Permission getRequiredPermission() {
     public Category getCategory() {
         return Category.STATUS;
     }
+
+    /**
+     * Used to display subpages for plugin information.
+     * @return the plugin with the given short name.
+     */
+    @CheckForNull
+    @Restricted(DoNotUse.class)
+    public PluginWrapper getPlugin(String shortName) {
+        Plugin plugin = Jenkins.get().getPlugin(shortName);
+        return plugin != null ? plugin.getWrapper() : null;
+    }
 }
@@ -213,6 +213,15 @@
  */
 public final class FilePath implements SerializableOnlyOverRemoting {
 
+    /**
+     * Set to {@code true} to disable validation to ensure that we do not attempt to extract paths that may allow determining the path to the destination directory.
+     */
+    private static /* non-final for script console */ boolean ALLOW_REENTRY_PATH_TRAVERSAL = SystemProperties.getBoolean(FilePath.class.getName() + ".ALLOW_REENTRY_PATH_TRAVERSAL");
+    /**
+     * Set to {@code true} to disable the fix for SECURITY-3657 that prevents path traversal from crafted tar files.
+     */
+    private static /* non-final for script console */ boolean ALLOW_UNTAR_SYMLINK_RESOLUTION = SystemProperties.getBoolean(FilePath.class.getName() + ".ALLOW_UNTAR_SYMLINK_RESOLUTION");
+
     public enum DisplayOption implements OpenOption, CopyOption {
         IGNORE_TMP_DIRS
     }
@@ -3051,26 +3060,54 @@ private static void readFromTar(String name, File baseDir, InputStream in) throw
     /**
      * Reads from a tar stream and stores obtained files to the base dir.
      * Supports large files &gt; 10 GB since 1.627.
+     * This prohibits any path traversal out of the base dir, as well as writing through any existing symlinks.
      */
     private static void readFromTar(String name, File baseDir, InputStream in, Charset filenamesEncoding) throws IOException {
-
+        final File absoluteBaseDir = baseDir.getAbsoluteFile();
+        final Path normalizedAbsoluteBaseDir = absoluteBaseDir.toPath().normalize();
         try (TarInputStream t = new TarInputStream(in, filenamesEncoding.name())) {
             TarEntry te;
             while ((te = t.getNextEntry()) != null) {
-                File f = new File(baseDir, te.getName());
-                if (!f.toPath().normalize().startsWith(baseDir.toPath())) {
-                    throw new IOException(
-                            "Tar " + name + " contains illegal file name that breaks out of the target directory: " + te.getName());
+                final String entryName = te.getName();
+                if (!ALLOW_REENTRY_PATH_TRAVERSAL) {
+                    if (new File(entryName).toPath().normalize().startsWith(Path.of(".."))) {
+                        // catch relative path that would escape and then enter the destination dir again, like `../../../var/jenkins_home/...`
+                        throw new IOException("Tar " + name + " contains entry that escapes destination directory: " + entryName);
+                    }
                 }
+
+                // We cannot replace 'f' with its canonical path here, otherwise, if it is a symlink, it becomes its link target and attempting to overwrite 'f' will have unintended behavior (JENKINS-67063)
+                File f = new File(baseDir, entryName).getAbsoluteFile();
+                File parent = f.getParentFile();
+                if (!f.toPath().normalize().startsWith(normalizedAbsoluteBaseDir)) {
+                    // This covers both relative path traversal, and potential undefined File(String, String) constructor behavior when it takes a second argument that's absolute.
+                    throw new IOException("Tar " + name + " contains entry that escapes destination directory: " + entryName);
+                }
+
+                if (!ALLOW_UNTAR_SYMLINK_RESOLUTION) {
+                    // getCanonicalFile doesn't follow symlinks on Windows, so do this the hard way: Check each ancestor up to the base dir for whether it's a symlink
+                    File current = parent;
+                    while (current != null && !current.equals(absoluteBaseDir)) {
+                        if (Util.isSymlink(current)) {
+                            throw new IOException("Tar " + name + " attempts to write to file with symlink in path: " + entryName);
+                        }
+                        current = current.getParentFile();
+                    }
+                }
+
                 if (te.isDirectory()) {
                     mkdirs(f);
                 } else {
-                    File parent = f.getParentFile();
                     if (parent != null) mkdirs(parent);
 
                     if (te.isSymbolicLink()) {
                         new FilePath(f).symlinkTo(te.getLinkName(), TaskListener.NULL);
                     } else {
+                        if (!ALLOW_UNTAR_SYMLINK_RESOLUTION) {
+                            if (Util.isSymlink(f)) {
+                                throw new IOException("Tar '" + name + "' entry '" + entryName + "' would write through existing symlink: " + f);
+                            }
+                        }
                         IOUtils.copy(t, f);
 
                         Files.setLastModifiedTime(Util.fileToPath(f), FileTime.from(te.getModTime().toInstant()));