[arvados] updated: 2.4.1-24-gb54a215b5

git repository hosting git at public.arvados.org
Fri Aug 5 18:04:08 UTC 2022 

Summary of changes:
 doc/admin/upgrading.html.textile.liquid | 11 ++++++-----
 tools/arvbox/bin/arvbox                 |  2 +-
 tools/salt-install/provision.sh         |  2 +-
 3 files changed, 8 insertions(+), 7 deletions(-)

       via  b54a215b5d74eca9a61d392b07890f628a296abe (commit)
       via  a2a7a87abc0a4516c4f57fb028c7d6fc8ae2859b (commit)
       via  82c9f4c196eee6b8498db4168ae7caa6465ca1a9 (commit)
      from  d54486bf595dd599ff4c0a5ff3b5fa5afb18a4c9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit b54a215b5d74eca9a61d392b07890f628a296abe
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Fri Aug 5 14:03:31 2022 -0400

    Sync security update text.  refs #19330
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index c4d793006..a54c62826 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -38,14 +38,15 @@ GitHub Security Lab (GHSL) reported a remote code execution (RCE)
 vulnerability in the Arvados Workbench that allows authenticated attackers
 to execute arbitrary code via specially crafted JSON payloads.
 
-This vulnerability is fixed in 2.4.2.
+This vulnerability is fixed in 2.4.2 ("#19316":https://dev.arvados.org/issues/19316).
 
-We believe the vulnerability exists in all versions of Arvados up to 2.4.1.
+It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1.
 
 This vulnerability is specific to the Ruby on Rails Workbench
 application ("Workbench 1").  We do not believe any other Arvados
-components, including the TypesScript based Workbench ("Workbench 2")
-or API Server, are vulnerable to this attack.
+components, including the TypesScript browser-based Workbench
+application ("Workbench 2") or API Server, are vulnerable to this
+attack.
 
 h3. CVE-2022-31163 and CVE-2022-32224
 

commit a2a7a87abc0a4516c4f57fb028c7d6fc8ae2859b
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Fri Aug 5 13:51:24 2022 -0400

    Adjust default version for provision.sh / arvbox
    
    refs #19330
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/tools/arvbox/bin/arvbox b/tools/arvbox/bin/arvbox
index 362a28d97..5ea5573ac 100755
--- a/tools/arvbox/bin/arvbox
+++ b/tools/arvbox/bin/arvbox
@@ -61,7 +61,7 @@ if test -z "$WORKBENCH2_BRANCH" ; then
 fi
 
 # Update this to the docker tag for the version on releases.
-DEFAULT_TAG=2.4.1
+DEFAULT_TAG=2.4.2
 
 PG_DATA="$ARVBOX_DATA/postgres"
 VAR_DATA="$ARVBOX_DATA/var"
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 7107bd080..ceaddb497 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -198,7 +198,7 @@ CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
 # The "local.params.example.*" files already set "RELEASE=production"
 # to deploy  production-ready packages
 RELEASE="production"
-VERSION="2.4.1-1"
+VERSION="2.4.2-1"
 
 # These are arvados-formula-related parameters
 # An arvados-formula tag. For a stable release, this should be a

commit 82c9f4c196eee6b8498db4168ae7caa6465ca1a9
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Fri Aug 5 13:29:43 2022 -0400

    Grammar fixes
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 94a119dbf..c4d793006 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -35,12 +35,12 @@ h2(#v2_4_2). v2.4.2 (2022-08-05)
 h3. GHSL-2022-063
 
 GitHub Security Lab (GHSL) reported a remote code execution (RCE)
-vulnerability in the Arvados Workbench allows authenticated attackers
+vulnerability in the Arvados Workbench that allows authenticated attackers
 to execute arbitrary code via specially crafted JSON payloads.
 
 This vulnerability is fixed in 2.4.2.
 
-We believe the vulnerability exists all versions of Arvados up to 2.4.1.
+We believe the vulnerability exists in all versions of Arvados up to 2.4.1.
 
 This vulnerability is specific to the Ruby on Rails Workbench
 application ("Workbench 1").  We do not believe any other Arvados

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list