Fixed the HTTP request thread saturation problem with Winstone.
(cherry picked from commit 4b1a95f2)

Conflicts:

	changelog.html

(cherry picked from commit 20d628fa)

(cherry picked from commit b44df8b1)

Conflicts:

	core/pom.xml

(cherry picked from commit 6d99c02b)

This patch makes standard post-build action refuse to let you configure a downstream project you cannot currently build.
The one from parameterized-trigger will show an error in the configure screen but still lets you save the configuration; needs an analogous patch to that plugin.
Does not yet protect against POSTing config.xml with the trigger.
(cherry picked from commit 757bc8a5)

Conflicts:

	core/src/main/java/hudson/model/Descriptor.java

- My second patch, with whitelisted XPath values and forbidden JSONP.
- Disabling JSONP altogether for REST API (unless explicitly allowed).
- Forbid primitive XPath result sets by default.
- Refuse to serve _crumb=123456 as this could (very hypothetically) be exploited.
(cherry picked from commit f4af9b1a)

Conflicts:

	core/src/main/java/hudson/model/Api.java

(cherry picked from commit f8d2a0ba)

Require POST for various operations.
(cherry picked from commit 36c86243)

Conflicts:

	core/src/main/java/hudson/model/AbstractBuild.java

(cherry picked from commit 1fb2acfd)

Conflicts:

	core/src/main/java/hudson/model/AbstractProject.java
	core/src/main/java/hudson/model/ParametersDefinitionProperty.java

- Use the proper block cipher mode.
  Or else the information about the plain text still ends up revealing as a pattern without the attacker knowing the key.
- No need to hide SLAVE_SECRET from the encrypted payload.
  jnlpMac is needed to decrypt this payload to begin with, so there's no point in hiding it. This simplifies the code a little bit.
- Using a newer slave installer that uses the -secret option
(cherry picked from commit f4496df1)

Jesse's original patch
(cherry picked from commit 01a24e2c)

translation cleanup

purged duplicated translations for GlobalCrumbIssuerConfiguration
("Prevent Cross Site Request Forgery exploits").
Changed property name "Crumb" to "Crumbs" because this is the value that the existing translations actually use.

Improve UpdateSiteTest by adding valid Update sites

Removing old static field, which was not friendly to tests, especially multithreaded runners.
Cleaned up existing tests to use updateDirectly rather than POSTing raw JSON.

[JENKINS-15156] AbstractProject.builds accessed by Maven & matrix module builds before onLoad or onCreatedFromScratch called.
Seem to need to keep the deprecated no-arg RunMap initializer though it is unclear to me how it could work.

so iterate on itemGroup.getItems and filter by job names

used to browse workspace and run scm polling

Seems that the RunMap must be initialized before updateTransientActions, which uses it, is called.

[FIXED JENKINS-15156] Initialize AbstractLazyLoadRunMap.dir for newly created jobs.

Correctly support direct updates of html update sites