<div class="releasenotes">
</notextile>
-h2(#main). development main (as of 2022-08-09)
-"previous: Upgrading to 2.4.2":#v2_4_2
+h2(#main). development main (as of 2022-09-21)
+
+"previous: Upgrading to 2.4.3":#v2_4_3
h3. Renamed keep-web metrics and WebDAV configs
The config entries @Collections.WebDAVCache.UUIDTTL@, @...MaxCollectionEntries@, and @...MaxUUIDEntries@ are no longer used, and should be removed from your config file.
+h2(#v2_4_3). v2.4.3 (2022-09-21)
+
+"previous: Upgrading to 2.4.2":#v2_4_2
+
+h3. Fixed PAM authentication security vulnerability
+
+In Arvados 2.4.2 and earlier, when using PAM authentication, if a user
+presented valid credentials but the account is disabled or otherwise
+not allowed to access the host, it would still be accepted for access
+to Arvados. From 2.4.3 onwards, Arvados now also checks that the
+account is permitted to access the host before completing the PAM login
+process.
+
+Other authentication methods (LDAP, OpenID Connect) are not affected
+by this flaw.
+
h2(#v2_4_2). v2.4.2 (2022-08-09)
"previous: Upgrading to 2.4.1":#v2_4_1
require 'json'
require 'fileutils'
require 'andand'
+require 'net/http'
require 'arvados/google_api_client'
@config = config
end
+ def cluster_config
+ return @cluster_config if @cluster_config
+
+ uri = URI("https://#{config()["ARVADOS_API_HOST"]}/arvados/v1/config")
+ cc = JSON.parse(Net::HTTP.get(uri))
+
+ @cluster_config = cc
+ end
+
class Model
def self.arvados_api
arvados.arvados_api