Jenkins before LTS version 2.121.3 and weekly version 2.138 do not properly disable "Remember me" cookies. The "Remember me" feature can be disabled in the Jenkins security configuration. This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in. External Reference: https://jenkins.io/security/advisory/2018-08-15/#SECURITY-996
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1620347]
Upstream commit: https://github.com/jenkinsci/jenkins/commit/ef9583a24abc4de157e1570cb32d7a273d327f36