This is supposed to only show when Jenkins detects an upgrade from 1.495 or older. IIRC, it uses information from the global config.xml to determine that. Any scripting messing with this file could be a possible culprit.
I recommend not executing this. I'm not sure whether the format of secrets we implemented ~2 years ago is still compatible with the re-keying. > On 19. Oct 2018, at 18:26, matthew.web...@diamond.ac.uk wrote: > > We recently upgraded Jenkins from 2.146 to 2.147 (which is the newest release > at the time of writing). > > Since then, Jenkins has displayed a message in the WebUI: > "Because of a security vulnerability discovered earlier, we need to change > the encryption key used to protect secrets in your configuration files on the > disk. This process scans a large portion of your $JENKINS_HOME, find > encrypted data, re-key them, which will take some time. See this document for > more implications about different ways of doing this (or not doing this.)" > > The message links to a 5-year old web page > https://jenkins.io/security/advisory/2013-01-04/. This is strange, since at > the time of the original security advisory, I followed the steps as > instructed. I'm not just relying on memory here - I verified the > $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor exists, meaning that > the remediation action was followed back in 2013. > > Questions: > (1) Has anyone else seen this after upgrading to 2.147? > (2) Does anyone have any ideas what could have caused this? > > Thanks > Matthew > > > -- > This e-mail and any attachments may contain confidential, copyright and or > privileged material, and are for the use of the intended addressee only. If > you are not the intended addressee or an authorised recipient of the > addressee please notify us of receipt by returning the e-mail and do not use, > copy, retain, distribute or disclose the information in or attached to the > e-mail. > Any opinions expressed within this e-mail are those of the individual and not > necessarily of Diamond Light Source Ltd. > Diamond Light Source Ltd. cannot guarantee that this e-mail or any > attachments are free from viruses and we cannot accept liability for any > damage which you may sustain as a result of software viruses which may be > transmitted in or with the message. > Diamond Light Source Limited (company no. 4375679). Registered in England and > Wales with its registered office at Diamond House, Harwell Science and > Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/b3ff1efc8d274299a4924d782e10966c%40Diamond.ac.uk. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/C138646D-2B5C-49C1-A06A-379EF518C42B%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
