<div class="releasenotes">
</notextile>
-h2(#main). development main (as of 2022-08-09)
+
+h2(#main). development main (as of 2022-10-31)
+
+"previous: Upgrading to 2.4.4":#v2_4_4
+
+h3. Google or OpenID Connect login restricted to trusted clients
+
+If you use OpenID Connect or Google login, and your cluster serves as the @LoginCluster@ in a federation _or_ your users log in from a web application other than the Workbench1 and Workbench2 @ExternalURL@ addresses in your configuration file, the additional web application URLs (e.g., the other clusters' Workbench addresses) must be listed explicitly in @Login.TrustedClients@, otherwise login will fail. Previously, login would succeed with a less-privileged token.
+
+h3. New keepstore S3 driver enabled by default
+
+A more actively maintained S3 client library is now enabled by default for keeepstore services. The previous driver is still available for use in case of unknown issues. To use the old driver, set @DriverParameters.UseAWSS3v2Driver@ to @false@ on the appropriate @Volumes@ config entries.
+
+h3. Old container logs are automatically deleted from PostgreSQL
+
+Cached copies of log entries from containers that finished more than 1 month ago are now deleted automatically (this only affects the "live" logs saved in the PostgreSQL database, not log collections saved in Keep). If you have an existing cron job that runs @rake db:delete_old_container_logs@, you can remove it. See configuration options @Containers.Logging.MaxAge@ and @Containers.Logging.SweepInterval@.
+
+h3. Fixed salt installer template file to support container shell access
+
+If you manage your cluster using the salt installer, you may want to update it to the latest version, use the appropriate @config_examples@ subdirectory and re-reploy with your custom @local.params@ file so that the @arvados-controller@'s @nginx@ configuration file gets fixed.
+
+h3. Login-sync script requires configuration update on LoginCluster federations
+
+If you have @arvados-login-sync@ running on a satellite cluster, please update the environment variable settings by removing the @LOGINCLUSTER_ARVADOS_API_*@ variables and setting @ARVADOS_API_TOKEN@ to a LoginCluster's admin token, as described on the "updated install page":{{site.baseurl}}/install/install-shell-server.html#arvados-login-sync.
+
+h3. Renamed keep-web metrics and WebDAV configs
+
+Metrics previously reported by keep-web (@arvados_keepweb_collectioncache_requests@, @..._hits@, @..._pdh_hits@, @..._api_calls@, @..._cached_manifests@, and @arvados_keepweb_sessions_cached_collection_bytes@) have been replaced with @arvados_keepweb_cached_session_bytes@.
+
+The config entries @Collections.WebDAVCache.UUIDTTL@, @...MaxCollectionEntries@, and @...MaxUUIDEntries@ are no longer used, and should be removed from your config file.
+
+h2(#v2_4_4). v2.4.4 (2022-11-18)
+
+"previous: Upgrading to 2.4.3":#v2_4_3
+
+This update only consists of improvements to @arvados-cwl-runner@. There are no changes to backend services.
+
+h2(#v2_4_3). v2.4.3 (2022-09-21)
"previous: Upgrading to 2.4.2":#v2_4_2
-h2(#v2_4_2). v2.4.2 (2022-08-05)
+h3. Fixed PAM authentication security vulnerability
+
+In Arvados 2.4.2 and earlier, when using PAM authentication, if a user
+presented valid credentials but the account is disabled or otherwise
+not allowed to access the host, it would still be accepted for access
+to Arvados. From 2.4.3 onwards, Arvados now also checks that the
+account is permitted to access the host before completing the PAM login
+process.
+
+Other authentication methods (LDAP, OpenID Connect) are not affected
+by this flaw.
+
+h2(#v2_4_2). v2.4.2 (2022-08-09)
"previous: Upgrading to 2.4.1":#v2_4_1
h3. GHSL-2022-063
-GitHub Security Lab (GHSL) reported a remote code execution (RCE)
-vulnerability in the Arvados Workbench allows authenticated attackers
-to execute arbitrary code via specially crafted JSON payloads.
+GitHub Security Lab (GHSL) reported a remote code execution (RCE) vulnerability in the Arvados Workbench that allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
-This vulnerability is fixed in 2.4.2.
+This vulnerability is fixed in 2.4.2 ("#19316":https://dev.arvados.org/issues/19316).
-We believe the vulnerability exists all versions of Arvados up to 2.4.1.
+It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1.
-This vulnerability is specific to the Ruby on Rails Workbench
-application ("Workbench 1"). We do not believe any other Arvados
-components, including the TypesScript based Workbench ("Workbench 2")
-or API Server, are vulnerable to this attack.
+This vulnerability is specific to the Ruby on Rails Workbench application ("Workbench 1"). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application ("Workbench 2") or API Server, are vulnerable to this attack.
h3. CVE-2022-31163 and CVE-2022-32224
-As a precaution, Arvados 2.4.2 has includes security updates for Ruby
-on Rails and the TZInfo Ruby gem. However, there are no known
-exploits in Arvados based on these CVEs.
+As a precaution, Arvados 2.4.2 has includes security updates for Ruby on Rails and the TZInfo Ruby gem. However, there are no known exploits in Arvados based on these CVEs.
h3. Disable Sharing URLs UI
-There is now a configuration option @Workbench.DisableSharingURLsUI@
-for admins to disable the user interface for "sharing link" feature
-(URLs which can be sent to users to access the data in a specific
-collection in Arvados without an Arvados account), for organizations
-where sharing links violate their data sharing policy.
+There is now a configuration option @Workbench.DisableSharingURLsUI@ for admins to disable the user interface for "sharing link" feature (URLs which can be sent to users to access the data in a specific collection in Arvados without an Arvados account), for organizations where sharing links violate their data sharing policy.
->>>>>>> d54486bf5 (Add upgrading notes refs #19330)
h2(#v2_4_1). v2.4.1 (2022-06-02)
"previous: Upgrading to 2.4.0":#v2_4_0
projects / arvados.git / blobdiff