From: Peter Amstutz <peter.amstutz@curii.com>
Date: Fri, 5 Aug 2022 18:03:31 +0000 (-0400)
Subject: Sync security update text.  refs #19330
X-Git-Tag: 2.5.0~98
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/750366f2b8978d52babc2345184a7797b4601a98

Sync security update text.  refs #19330

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>
---

diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 5d35ebb9a1..00b20c43eb 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -42,14 +42,15 @@ GitHub Security Lab (GHSL) reported a remote code execution (RCE)
 vulnerability in the Arvados Workbench that allows authenticated attackers
 to execute arbitrary code via specially crafted JSON payloads.
 
-This vulnerability is fixed in 2.4.2.
+This vulnerability is fixed in 2.4.2 ("#19316":https://dev.arvados.org/issues/19316).
 
-We believe the vulnerability exists in all versions of Arvados up to 2.4.1.
+It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1.
 
 This vulnerability is specific to the Ruby on Rails Workbench
 application ("Workbench 1").  We do not believe any other Arvados
-components, including the TypesScript based Workbench ("Workbench 2")
-or API Server, are vulnerable to this attack.
+components, including the TypesScript browser-based Workbench
+application ("Workbench 2") or API Server, are vulnerable to this
+attack.
 
 h3. CVE-2022-31163 and CVE-2022-32224