The actual fix has been implemented over the last dozen or so commits

[FIXED JENKINS-18364] Functions.getRelativeLinkTo is called many times during rendering, so skip checking View.getItems which is expensive.

Avoid extracting war file under /tmp. When jar files and resource files disappear from under
us, all sorts of strange errors happen.

[FIXED JENKINS-22382] Need to restore deprecated overload of BuildAuthorizationToken.checkPermission for binary compatibility.

User.current() can return null, so this better check for null

[FIXED JENKINS-20500] Pass ${it} as an alias for ${view} to t:queue and t:executors, correcting regression introduced in 8e6a3f7f.

(cherry picked from commit 20651de1)

This is just a locally patched version, so not meant to be used outside
core.

[FIXED JENKINS-19544] When OldDataMonitor is reported a Run, just remember the ID rather than holding a strong reference.

Integrated the new version of XStream that contains the fix.

Jenkins now remembers the authorities (read group memberships) that the user had carried when he/she last time interactively logged in.
This information is exposed via User.impersonate(), which is used when using Jenkins SSH, Jenkins CLI, or access via API tokens.

Previously this was impossible for a subset of SecurityRealms that does not allow us to read group membership information without
successful login (such as Active Directory, OpenID, etc.)

For security reasons, if the backend determines that the user does not exist (as opposed to the backend who cannot tell if the user
exists or not), then the impersonation will fail.

I need to check AD plugin is reporting a failure correctly in this case, before marking as JENKINS-20064 fixed.

An unexpected failure in processing remember me cookie should be handled
gracefully. In particular, possibly problematic cookie should be
removed, or else the browser will keep bombarding the server with the
same cookie, and will never be able to get through.

It's much better to just drop the cookie.