[arvados] updated: 2.4.1-21-gd54486bf5

git repository hosting git at public.arvados.org
Fri Aug 5 17:13:59 UTC 2022 

Summary of changes:
 doc/admin/upgrading.html.textile.liquid | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

       via  d54486bf595dd599ff4c0a5ff3b5fa5afb18a4c9 (commit)
      from  3ae5d83fcfa21924f972efdfc19d1aa52637f936 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit d54486bf595dd599ff4c0a5ff3b5fa5afb18a4c9
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Fri Aug 5 13:13:32 2022 -0400

    Add upgrading notes refs #19330
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index f2e10bf36..94a119dbf 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -28,6 +28,39 @@ TODO: extract this information based on git commit messages and generate changel
 <div class="releasenotes">
 </notextile>
 
+h2(#v2_4_2). v2.4.2 (2022-08-05)
+
+"previous: Upgrading to 2.4.1":#v2_4_1
+
+h3. GHSL-2022-063
+
+GitHub Security Lab (GHSL) reported a remote code execution (RCE)
+vulnerability in the Arvados Workbench allows authenticated attackers
+to execute arbitrary code via specially crafted JSON payloads.
+
+This vulnerability is fixed in 2.4.2.
+
+We believe the vulnerability exists all versions of Arvados up to 2.4.1.
+
+This vulnerability is specific to the Ruby on Rails Workbench
+application ("Workbench 1").  We do not believe any other Arvados
+components, including the TypesScript based Workbench ("Workbench 2")
+or API Server, are vulnerable to this attack.
+
+h3. CVE-2022-31163 and CVE-2022-32224
+
+As a precaution, Arvados 2.4.2 has includes security updates for Ruby
+on Rails and the TZInfo Ruby gem.  However, there are no known
+exploits in Arvados based on these CVEs.
+
+h3. Disable Sharing URLs UI
+
+There is now a configuration option @Workbench.DisableSharingURLsUI@
+for admins to disable the user interface for "sharing link" feature
+(URLs which can be sent to users to access the data in a specific
+collection in Arvados without an Arvados account), for organizations
+where sharing links violate their data sharing policy.
+
 h2(#v2_4_1). v2.4.1 (2022-06-02)
 
 "previous: Upgrading to 2.4.0":#v2_4_0

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list