When using an external security realm such as LDAP or Active Directory, deleting a user from the security realm does not result in the user losing access to Jenkins.
While deleting the user record from Jenkins did invalidate the 'Remember me' cookie, there was no way to invalidate active sessions besides restarting Jenkins or terminating sessions through other means, such as Monitoring Plugin.
Jenkins now encodes a per-user seed value in sessions, 'Remember me' cookies, and cached authentications of the remoting-based CLI, that can manually be reset by a user themselves, or an administrator, on the user’s configuration page. Doing so will invalidate all current sessions, 'Remember me' cookies, and cached CLI authentications, requiring credentials to be entered again to authenticate. Deleting a user record in Jenkins will now also invalidate existing sessions, as the current seed value is deleted as well.
The v3.11 image has already been released with 2.150.2. Customers should look for:
registry.access.redhat.com/openshift3/jenkins-2-rhel7 v3.11 19080d270283 2 weeks ago 1.42GB
and the 4.0 image is shipping with 2.150.2
Per strategy for jenkins security advisories, we are only updating 3.11.x and 4.x. Instructions for how older 3.x clusters
can use the 3.11.x image are at https://github.com/openshift/jenkins#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary