The following two things as described in the summary have to be done.
I have updated all Linux nodes for staging including Jenkins master. I will wait with updating production nodes until later today so we can be sure no regression will be introduced.
I updated all Linux nodes for the glibc fix and got them restarted - including the Jenkins master machines. Regarding the Java updates for all slave nodes I'm unsure if an update is necessary. The only two connections Java makes on those are the ones to the Jenkins master, and then to check for updates of Java. Michal, do you see it still crucial to get them all updated?
Thanks for the work here. If the application logic makes it impossible for the Java plugin/process on slaves to accept input from untrusted sources, I think that's OK to postpone the update. Seems like it's the case here.
That is correct. To initiate a connection with the Jenkins master I have to start a specific script on the slave. No external connection can invoke a Java process. So I will mark this bug as fixed then. Java updates I will do when I have to update all slaves the next time which should happen in May.