Last checked and updated on 03 May 2026What Is New in Jenkins 2.541.x
Jenkins 2.541.x is the LTS line that ships Content Security Policy (CSP) enforcement for the Jenkins UI as its headline change, along with Java 25 support, a new RPM packaging URL for Red Hat and openSUSE, and a string of targeted bug fixes across all three patch releases.
| Category | Summary | Releases |
|---|---|---|
| Security | Critical security patches shipped in 2.541.2 and 2.541.3; CSP enforcement introduced in 2.541.1 | 2.541.1, 2.541.2, 2.541.3 |
| New Features | Content Security Policy UI configuration; Java 25 support; REST API to create agents from XML; experimental UI pages for core sections | 2.541.1 |
| Improvements | Default HTTP response header size raised to 32 KB; user time zone moved to preferences page; reorderable list redesign; health check thread dumps; Windows Server 2022 container support | 2.541.1 |
| Bug Fixes | Form submission array-type error; offline state lost on config submit; console copy button regression; large form submission regression; Cloud sidepanel links; toggle collapse 404; API token rendering | 2.541.1, 2.541.2, 2.541.3 |
| Infrastructure | Unified RPM packaging for Red Hat and openSUSE; new GPG signing key for DEB/RPM repos; Java 25 container images | 2.541.1 |
How Does the New Content Security Policy Support Work?
Jenkins 2.541.x ships a fully configurable CSP layer for the Jenkins UI. Previously there was no built-in way to set or relax CSP rules without third-party plugins; now it is part of core. An API lets plugins declare exactly which resource categories they need to relax (or further tighten), keeping policy changes traceable and per-plugin rather than global hacks.
If you have the csp plugin (Content Security Policy Plugin) installed, update it to version 2.x before upgrading -- the old 1.x API is no longer compatible. Administrators can also completely disable CSP header generation via the Java system property jenkins.security.csp.CspHeader.headerName when unusual configurations cause excessively long HTTP response headers.
CSP-related changes across 2.541.x patch releases
- 2.541.1 -- Initial CSP enforcement and configuration UI; telemetry for enforcement; Winstone updated to raise the default max response header size to 32 KB to accommodate complex CSP headers
- 2.541.3 -- UI label clarified when configuring CSP; CSP header computation skipped entirely when the feature is disabled (prevents slow-path computation on startup); Chrome redirect fix for built-in administrative monitor documentation links
In practice, the most common upgrade issue will be pipelines or shared libraries that load external scripts or styles. Run the new CSP telemetry first (it reports violations without blocking), then tighten the policy incrementally.
Reference: Jenkins CSP admin documentation
What Changed in Security Patches 2.541.2 and 2.541.3?
Both 2.541.2 and 2.541.3 carry critical security fixes documented in separate security advisories. The advisories themselves should be reviewed directly for CVE details and affected components.
Beyond the security fixes, 2.541.2 resolves a low-frequency but disruptive form submission bug where the serialization layer threw a Got type array but no lister class found for type... error. This was a regression introduced earlier in the 2.541 line and is tracked as JENKINS-76249. The same patch restores the temporary offline state of agents that was silently dropped on config submit.
2.541.3 adds a defensive check so that the CSP header computation path is skipped entirely when CSP is disabled -- relevant if your controller startup is slower than expected after the CSP feature landed in 2.541.1.
Reference: Jenkins security advisories
What Does Java 25 Support Mean for Jenkins Operators?
Jenkins 2.541.x adds official Java 25 support both for the controller runtime and for agent containers. Docker images for the Jenkins controller, SSH agents, and standard agent containers now ship Java 25 variants alongside the existing Java 17 and Java 21 images.
Java 25 is a non-LTS release, so production environments that require long-term vendor support should stay on Java 21 LTS for now. That said, Java 25 is useful for teams that want to evaluate upcoming language features (record patterns, string templates stabilization) in CI pipelines without waiting for the next LTS cycle.
Telemetry for Java system properties was also added in 2.541.1, which means the Jenkins project now collects anonymized data on which JVM flags operators are setting. This helps the team make informed decisions about future default changes.
What Packaging Changes Affect Red Hat and openSUSE Users?
Red Hat and openSUSE RPM packages are now unified under a single new repository URL: https://pkg.jenkins.io/rpm-stable/. The old separate endpoints (/redhat-stable and /opensuse-stable) redirect to the new URL, but the redirect alone is not enough -- you must update your jenkins.repo file manually to point at the new endpoint.
LTS versions 2.528.3 and earlier remain available at https://pkg.jenkins.io/redhat-stable-legacy/. The System V init scripts have been dropped for openSUSE; systemd is now the only supported init system for those packages.
A new GPG signing key (5E386EADB55F01504CAE8BCF7198F4B714ABFC68) is also in use for both DEB and RPM package repositories starting with 2.541.1. You need to import and accept this key before the package manager will accept the updated packages.
# Import the new GPG key (Debian/Ubuntu)
curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key | sudo tee \
/usr/share/keyrings/jenkins-keyring.asc > /dev/null
# Update repo config for Red Hat / openSUSE
sudo sed -i 's|pkg.jenkins.io/redhat-stable|pkg.jenkins.io/rpm-stable|g' \
/etc/yum.repos.d/jenkins.repoReference: New Linux repository signing keys blog post
What Other Improvements Ship in This Line?
UI and Developer Experience
- User time zone setting moved from the System configuration page to the individual user preferences page -- a long-overdue UX cleanup.
- The built-in executor count is no longer duplicated on the System configuration page; it is now configured exclusively under Nodes.
- The reorderable list component (used for things like build step ordering) has been redesigned with a cleaner drag handle and visual feedback.
- Tooltips now use a 250 ms enter delay by default, reducing visual noise from accidental hover triggers.
- Experimental UI pages are now available for Manage Jenkins, job listings, build history, the dashboard, run details, and parameter forms. These are opt-in and not enabled by default.
Operations and Diagnostics
- When a
/healthcheck takes longer than 10 seconds, Jenkins now logs a full thread dump automatically. The threshold is configurable viajenkins.health.HealthCheckAction.thresholdTimeout. - A REST API endpoint was added to create agents from XML, bringing agent provisioning in line with the existing job-creation API pattern.
- Idle browser CPU utilization (the spurious polling that kept the JS event loop busy on the Jenkins UI) has been eliminated.
- The
rootURLis now used correctly in the Cloud sidepanel, so action links in cloud-provisioned agent views resolve properly. - Experimental flags can now have default values set via a system property, making it easier to opt entire fleets into or out of preview features without touching individual instance configs.
Bug Fixes Worth Noting
- Console log copy button for finished freestyle builds was broken since 2.493 -- fixed in 2.541.1.
- Large form submissions (regression introduced in 2.531) were being rejected -- fixed in 2.541.1.
- File fingerprint and project relationship actions disappeared from views -- restored in 2.541.1.
- The toggle collapse in Chrome was triggering 404s -- fixed.
- API token rendering was broken for some token configurations -- fixed.
FAQ
Do I need to update the Content Security Policy Plugin before upgrading to 2.541.x?
Yes, if you have the csp plugin installed. The 1.x version of the plugin is incompatible with the new core CSP API introduced in 2.541.1. Update the plugin to version 2.x first. If you skip this step, the plugin will fail to initialize and CSP-dependent behavior may regress silently. Check the plugin compatibility matrix linked in the Jenkins changelog before upgrading.
The form submission error "Got type array but no lister class found for type" is appearing in our logs -- is this 2.541.x?
Yes. This is JENKINS-76249, a regression that surfaced in the 2.541 line. It occurs rarely during form submissions when a field is serialized as an array type that the binding layer does not recognize. The fix shipped in 2.541.2. Upgrading to 2.541.2 or later resolves it completely.
After upgrading to 2.541.1 our agents are showing wrong offline status after config saves -- what happened?
This is the temporary offline state bug fixed in 2.541.2. When an agent was manually set to temporary offline mode (for draining) and an admin then saved the node config, the temporary offline flag was silently cleared. The fix ensures the flag is preserved through config save operations. Upgrade to 2.541.2 or later.
Red Hat users: what exactly do I need to do to keep getting Jenkins LTS updates after 2.541.1?
Two things: update your jenkins.repo file to use https://pkg.jenkins.io/rpm-stable/ as the baseurl, and import the new GPG signing key with fingerprint 5E386EADB55F01504CAE8BCF7198F4B714ABFC68. Without the key update, yum or dnf will refuse to install packages. Without the repo URL update, the redirect may work initially but is not guaranteed to stay stable. The old /opensuse-stable and /redhat-stable endpoints are deprecated.
Can we run Jenkins 2.541.x on Java 25 in production?
Technically yes -- it is fully supported at the Jenkins project level. In practice, Java 25 is a short-term release without a long-term support commitment from vendors like Red Hat or Adoptium. If your infrastructure relies on vendor-supported JVM binaries (which most enterprise environments do), stick to Java 21 LTS for the controller. Java 25 is a good choice for ephemeral build agents where you want to test code against new language features without committing the controller to an unsupported runtime.