+h3. GHSL-2022-063
+
+GitHub Security Lab (GHSL) reported a remote code execution (RCE)
+vulnerability in the Arvados Workbench allows authenticated attackers
+to execute arbitrary code via specially crafted JSON payloads.
+
+This vulnerability is fixed in 2.4.2.
+
+We believe the vulnerability exists all versions of Arvados up to 2.4.1.
+
+This vulnerability is specific to the Ruby on Rails Workbench
+application ("Workbench 1"). We do not believe any other Arvados
+components, including the TypesScript based Workbench ("Workbench 2")
+or API Server, are vulnerable to this attack.
+
+h3. CVE-2022-31163 and CVE-2022-32224
+
+As a precaution, Arvados 2.4.2 has includes security updates for Ruby
+on Rails and the TZInfo Ruby gem. However, there are no known
+exploits in Arvados based on these CVEs.
+
+h3. Disable Sharing URLs UI
+
+There is now a configuration option @Workbench.DisableSharingURLsUI@
+for admins to disable the user interface for "sharing link" feature
+(URLs which can be sent to users to access the data in a specific
+collection in Arvados without an Arvados account), for organizations
+where sharing links violate their data sharing policy.
+
+>>>>>>> d54486bf5 (Add upgrading notes refs #19330)