Sync security update text. refs #19330

author Peter Amstutz <peter.amstutz@curii.com>

Fri, 5 Aug 2022 18:03:31 +0000 (14:03 -0400)

committer Peter Amstutz <peter.amstutz@curii.com>

Mon, 8 Aug 2022 16:56:42 +0000 (12:56 -0400)
author Peter Amstutz <peter.amstutz@curii.com>
Fri, 5 Aug 2022 18:03:31 +0000 (14:03 -0400)
committer Peter Amstutz <peter.amstutz@curii.com>
Mon, 8 Aug 2022 16:56:42 +0000 (12:56 -0400)
diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid

index 5d35ebb9a16d799db20cbd4a1c96daac8ece15b8..00b20c43ebcc1d37f230a99c3a2676da008a1fbf 100644 (file)
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -42,14 +42,15 @@ GitHub Security Lab (GHSL) reported a remote code execution (RCE)
  vulnerability in the Arvados Workbench that allows authenticated attackers
  to execute arbitrary code via specially crafted JSON payloads.
  
-This vulnerability is fixed in 2.4.2.
+This vulnerability is fixed in 2.4.2 ("#19316":https://dev.arvados.org/issues/19316).
  
-We believe the vulnerability exists in all versions of Arvados up to 2.4.1.
+It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1.
  
  This vulnerability is specific to the Ruby on Rails Workbench
  application ("Workbench 1").  We do not believe any other Arvados
-components, including the TypesScript based Workbench ("Workbench 2")
-or API Server, are vulnerable to this attack.
+components, including the TypesScript browser-based Workbench
+application ("Workbench 2") or API Server, are vulnerable to this
+attack.
  
  h3. CVE-2022-31163 and CVE-2022-32224
author	Peter Amstutz <peter.amstutz@curii.com>
	Fri, 5 Aug 2022 18:03:31 +0000 (14:03 -0400)
committer	Peter Amstutz <peter.amstutz@curii.com>
	Mon, 8 Aug 2022 16:56:42 +0000 (12:56 -0400)