19215: Add -o pipefail to installer.sh

[arvados.git] / doc / admin / upgrading.html.textile.liquid

diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index b034ba35d8a2306fc792f3eea5edd13d777c619e..cfdae50eb246bae8b042d1184e43bed4650c46be 100644 (file)
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -28,9 +28,10 @@ TODO: extract this information based on git commit messages and generate changel
 <div class="releasenotes">
 </notextile>
 
-h2(#main). development main (as of 2022-08-09)
 
-"previous: Upgrading to 2.4.2":#v2_4_2
+h2(#main). development main (as of 2022-09-21)
+
+"previous: Upgrading to 2.4.3":#v2_4_3
 
 h3. Renamed keep-web metrics and WebDAV configs
 
@@ -38,6 +39,16 @@ Metrics previously reported by keep-web (@arvados_keepweb_collectioncache_reques
 
 The config entries @Collections.WebDAVCache.UUIDTTL@, @...MaxCollectionEntries@, and @...MaxUUIDEntries@ are no longer used, and should be removed from your config file.
 
+h2(#v2_4_3). v2.4.3 (2022-09-21)
+
+"previous: Upgrading to 2.4.2":#v2_4_2
+
+h3. Fixed PAM authentication security vulnerability
+
+In Arvados 2.4.2 and earlier, when using PAM authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host, it would still be accepted for access to Arvados.  From 2.4.3 onwards, Arvados now also checks that the account is permitted to access the host before completing the PAM login process.
+
+Other authentication methods (LDAP, OpenID Connect) are not affected by this flaw.
+
 h2(#v2_4_2). v2.4.2 (2022-08-09)
 
 "previous: Upgrading to 2.4.1":#v2_4_1