[arvados] updated: 2.4.2-33-g1adc1e6b8

git repository hosting git at public.arvados.org
Wed Sep 21 21:12:05 UTC 2022 

Summary of changes:
 doc/admin/upgrading.html.textile.liquid | 16 ++++++++++++++++
 tools/arvbox/bin/arvbox                 |  2 +-
 tools/salt-install/provision.sh         |  2 +-
 3 files changed, 18 insertions(+), 2 deletions(-)

       via  1adc1e6b8ae357992d39c6b6bc1bc16192a94d9c (commit)
      from  278076e84c7ea6d99f8ca4020688d52d7518ceee (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 1adc1e6b8ae357992d39c6b6bc1bc16192a94d9c
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Wed Sep 21 17:09:02 2022 -0400

    Add upgrade notes for 2.4.3
    
    refs #19532
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 1eedb3000..455db9e40 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -28,6 +28,22 @@ TODO: extract this information based on git commit messages and generate changel
 <div class="releasenotes">
 </notextile>
 
+h2(#v2_4_2). v2.4.3 (2022-09-21)
+
+"previous: Upgrading to 2.4.2":#v2_4_2
+
+h3. Fixed PAM authentication security vulnerability
+
+In Arvados 2.4.2 and earlier, when using PAM authentication, if a user
+presented valid credentials but the account is disabled or otherwise
+not allowed to access the host, it would still be accepted for access
+to Arvados.  From 2.4.3 onwards, Arvados now also checks that the
+account is permitted to access the host before completing the PAM login
+process.
+
+Other authentication methods (LDAP, OpenID Connect) are not affected
+by this flaw.
+
 h2(#v2_4_2). v2.4.2 (2022-08-09)
 
 "previous: Upgrading to 2.4.1":#v2_4_1
diff --git a/tools/arvbox/bin/arvbox b/tools/arvbox/bin/arvbox
index 5ea5573ac..7339668c8 100755
--- a/tools/arvbox/bin/arvbox
+++ b/tools/arvbox/bin/arvbox
@@ -61,7 +61,7 @@ if test -z "$WORKBENCH2_BRANCH" ; then
 fi
 
 # Update this to the docker tag for the version on releases.
-DEFAULT_TAG=2.4.2
+DEFAULT_TAG=2.4.3
 
 PG_DATA="$ARVBOX_DATA/postgres"
 VAR_DATA="$ARVBOX_DATA/var"
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 512a4932a..ac3b8bf72 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -198,7 +198,7 @@ CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
 # The "local.params.example.*" files already set "RELEASE=production"
 # to deploy  production-ready packages
 RELEASE="production"
-VERSION="2.4.2-1"
+VERSION="2.4.3-1"
 
 # These are arvados-formula-related parameters
 # An arvados-formula tag. For a stable release, this should be a

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list