From: Peter Amstutz Date: Fri, 5 Aug 2022 17:13:32 +0000 (-0400) Subject: Add upgrading notes refs #19330 X-Git-Tag: 2.5.0~100 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/7822d4d431284d0912ba40d288da81a1eac68a3e Add upgrading notes refs #19330 Arvados-DCO-1.1-Signed-off-by: Peter Amstutz --- diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid index 96e68239b6..ca22473bd4 100644 --- a/doc/admin/upgrading.html.textile.liquid +++ b/doc/admin/upgrading.html.textile.liquid @@ -28,10 +28,44 @@ TODO: extract this information based on git commit messages and generate changel
-h2(#main). development main (as of 2022-06-02) +h2(#main). development main (as of 2022-08-09) + +"previous: Upgrading to 2.4.2":#v2_4_2 + +h2(#v2_4_2). v2.4.2 (2022-08-05) "previous: Upgrading to 2.4.1":#v2_4_1 +h3. GHSL-2022-063 + +GitHub Security Lab (GHSL) reported a remote code execution (RCE) +vulnerability in the Arvados Workbench allows authenticated attackers +to execute arbitrary code via specially crafted JSON payloads. + +This vulnerability is fixed in 2.4.2. + +We believe the vulnerability exists all versions of Arvados up to 2.4.1. + +This vulnerability is specific to the Ruby on Rails Workbench +application ("Workbench 1"). We do not believe any other Arvados +components, including the TypesScript based Workbench ("Workbench 2") +or API Server, are vulnerable to this attack. + +h3. CVE-2022-31163 and CVE-2022-32224 + +As a precaution, Arvados 2.4.2 has includes security updates for Ruby +on Rails and the TZInfo Ruby gem. However, there are no known +exploits in Arvados based on these CVEs. + +h3. Disable Sharing URLs UI + +There is now a configuration option @Workbench.DisableSharingURLsUI@ +for admins to disable the user interface for "sharing link" feature +(URLs which can be sent to users to access the data in a specific +collection in Arvados without an Arvados account), for organizations +where sharing links violate their data sharing policy. + +>>>>>>> d54486bf5 (Add upgrading notes refs #19330) h2(#v2_4_1). v2.4.1 (2022-06-02) "previous: Upgrading to 2.4.0":#v2_4_0