[arvados] updated: 2.1.0-2845-g42c20b25e
git repository hosting
git at public.arvados.org
Mon Aug 8 16:56:56 UTC 2022
Summary of changes:
doc/admin/upgrading.html.textile.liquid | 25 +++++++++++++++++++++-
...l.params.example.single_host_multiple_hostnames | 2 +-
...ocal.params.example.single_host_single_hostname | 2 +-
tools/salt-install/provision.sh | 2 +-
4 files changed, 27 insertions(+), 4 deletions(-)
via 42c20b25e1325124b88e3b9b285544dc41122b56 (commit)
via c8cbf2509601da0890bccc7f9ef5f5a8eaa307d0 (commit)
via 8d0b26e44e50df56d63f489cc62f4c04fbe613e7 (commit)
via 067b16c3cb19f17cca368b1373977c5610511806 (commit)
via 750366f2b8978d52babc2345184a7797b4601a98 (commit)
via 101c02ace8036f92d07e3d5e22736267381c0489 (commit)
via 7822d4d431284d0912ba40d288da81a1eac68a3e (commit)
from 1cbf8cd312dd019809b060d83999c677e94dbe7e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 42c20b25e1325124b88e3b9b285544dc41122b56
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Mon Aug 8 12:51:34 2022 -0400
Fix 2.4.2 upgrade notes formatting refs #19330
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 29a82fd27..43d541ccc 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -38,33 +38,21 @@ h2(#v2_4_2). v2.4.2 (2022-08-09)
h3. GHSL-2022-063
-GitHub Security Lab (GHSL) reported a remote code execution (RCE)
-vulnerability in the Arvados Workbench that allows authenticated attackers
-to execute arbitrary code via specially crafted JSON payloads.
+GitHub Security Lab (GHSL) reported a remote code execution (RCE) vulnerability in the Arvados Workbench that allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
This vulnerability is fixed in 2.4.2 ("#19316":https://dev.arvados.org/issues/19316).
It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1.
-This vulnerability is specific to the Ruby on Rails Workbench
-application ("Workbench 1"). We do not believe any other Arvados
-components, including the TypesScript browser-based Workbench
-application ("Workbench 2") or API Server, are vulnerable to this
-attack.
+This vulnerability is specific to the Ruby on Rails Workbench application ("Workbench 1"). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application ("Workbench 2") or API Server, are vulnerable to this attack.
h3. CVE-2022-31163 and CVE-2022-32224
-As a precaution, Arvados 2.4.2 has includes security updates for Ruby
-on Rails and the TZInfo Ruby gem. However, there are no known
-exploits in Arvados based on these CVEs.
+As a precaution, Arvados 2.4.2 has includes security updates for Ruby on Rails and the TZInfo Ruby gem. However, there are no known exploits in Arvados based on these CVEs.
h3. Disable Sharing URLs UI
-There is now a configuration option @Workbench.DisableSharingURLsUI@
-for admins to disable the user interface for "sharing link" feature
-(URLs which can be sent to users to access the data in a specific
-collection in Arvados without an Arvados account), for organizations
-where sharing links violate their data sharing policy.
+There is now a configuration option @Workbench.DisableSharingURLsUI@ for admins to disable the user interface for "sharing link" feature (URLs which can be sent to users to access the data in a specific collection in Arvados without an Arvados account), for organizations where sharing links violate their data sharing policy.
>>>>>>> d54486bf5 (Add upgrading notes refs #19330)
h2(#v2_4_1). v2.4.1 (2022-06-02)
commit c8cbf2509601da0890bccc7f9ef5f5a8eaa307d0
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Mon Aug 8 09:27:03 2022 -0400
Fix 2.4.2 release date refs #19330
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 00b20c43e..29a82fd27 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -32,7 +32,7 @@ h2(#main). development main (as of 2022-08-09)
"previous: Upgrading to 2.4.2":#v2_4_2
-h2(#v2_4_2). v2.4.2 (2022-08-05)
+h2(#v2_4_2). v2.4.2 (2022-08-09)
"previous: Upgrading to 2.4.1":#v2_4_1
commit 8d0b26e44e50df56d63f489cc62f4c04fbe613e7
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Fri Aug 5 15:40:08 2022 -0400
Include shell in complete list of provision.sh roles refs #19330
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index f4660be37..638e5de80 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -625,7 +625,7 @@ if [ -z "${ROLES}" ]; then
echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls
echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls
- for c in controller websocket workbench workbench2 webshell keepweb keepproxy; do
+ for c in controller websocket workbench workbench2 webshell keepweb keepproxy shell; do
# Are we in a single-host-single-hostname env?
if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
# Are we in a single-host-single-hostname env?
commit 067b16c3cb19f17cca368b1373977c5610511806
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Fri Aug 5 15:26:15 2022 -0400
Missing shell role in single node install refs #19330
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/tools/salt-install/local.params.example.single_host_multiple_hostnames b/tools/salt-install/local.params.example.single_host_multiple_hostnames
index 20f334166..f072fedb4 100644
--- a/tools/salt-install/local.params.example.single_host_multiple_hostnames
+++ b/tools/salt-install/local.params.example.single_host_multiple_hostnames
@@ -19,7 +19,7 @@ DEPLOY_USER=root
# installer.sh will log in to each of these nodes and then provision
# it for the specified roles.
NODES=(
- [localhost]=api,controller,websocket,dispatcher,keepbalance,keepstore,keepproxy,keepweb,workbench,workbench2,webshell
+ [localhost]=api,controller,websocket,dispatcher,keepbalance,keepstore,keepproxy,keepweb,workbench,workbench2,webshell,shell
)
# External ports used by the Arvados services
diff --git a/tools/salt-install/local.params.example.single_host_single_hostname b/tools/salt-install/local.params.example.single_host_single_hostname
index a68450094..fdb10cf63 100644
--- a/tools/salt-install/local.params.example.single_host_single_hostname
+++ b/tools/salt-install/local.params.example.single_host_single_hostname
@@ -19,7 +19,7 @@ DEPLOY_USER=root
# installer.sh will log in to each of these nodes and then provision
# it for the specified roles.
NODES=(
- [localhost]=api,controller,websocket,dispatcher,keepbalance,keepstore,keepproxy,keepweb,workbench,workbench2,webshell
+ [localhost]=api,controller,websocket,dispatcher,keepbalance,keepstore,keepproxy,keepweb,workbench,workbench2,webshell,shell
)
# Set this value when installing a cluster in a single host with a single
commit 750366f2b8978d52babc2345184a7797b4601a98
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Fri Aug 5 14:03:31 2022 -0400
Sync security update text. refs #19330
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 5d35ebb9a..00b20c43e 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -42,14 +42,15 @@ GitHub Security Lab (GHSL) reported a remote code execution (RCE)
vulnerability in the Arvados Workbench that allows authenticated attackers
to execute arbitrary code via specially crafted JSON payloads.
-This vulnerability is fixed in 2.4.2.
+This vulnerability is fixed in 2.4.2 ("#19316":https://dev.arvados.org/issues/19316).
-We believe the vulnerability exists in all versions of Arvados up to 2.4.1.
+It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1.
This vulnerability is specific to the Ruby on Rails Workbench
application ("Workbench 1"). We do not believe any other Arvados
-components, including the TypesScript based Workbench ("Workbench 2")
-or API Server, are vulnerable to this attack.
+components, including the TypesScript browser-based Workbench
+application ("Workbench 2") or API Server, are vulnerable to this
+attack.
h3. CVE-2022-31163 and CVE-2022-32224
commit 101c02ace8036f92d07e3d5e22736267381c0489
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Fri Aug 5 13:29:43 2022 -0400
Grammar fixes refs #19330
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index ca22473bd..5d35ebb9a 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -39,12 +39,12 @@ h2(#v2_4_2). v2.4.2 (2022-08-05)
h3. GHSL-2022-063
GitHub Security Lab (GHSL) reported a remote code execution (RCE)
-vulnerability in the Arvados Workbench allows authenticated attackers
+vulnerability in the Arvados Workbench that allows authenticated attackers
to execute arbitrary code via specially crafted JSON payloads.
This vulnerability is fixed in 2.4.2.
-We believe the vulnerability exists all versions of Arvados up to 2.4.1.
+We believe the vulnerability exists in all versions of Arvados up to 2.4.1.
This vulnerability is specific to the Ruby on Rails Workbench
application ("Workbench 1"). We do not believe any other Arvados
commit 7822d4d431284d0912ba40d288da81a1eac68a3e
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Fri Aug 5 13:13:32 2022 -0400
Add upgrading notes refs #19330
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 96e68239b..ca22473bd 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -28,10 +28,44 @@ TODO: extract this information based on git commit messages and generate changel
<div class="releasenotes">
</notextile>
-h2(#main). development main (as of 2022-06-02)
+h2(#main). development main (as of 2022-08-09)
+
+"previous: Upgrading to 2.4.2":#v2_4_2
+
+h2(#v2_4_2). v2.4.2 (2022-08-05)
"previous: Upgrading to 2.4.1":#v2_4_1
+h3. GHSL-2022-063
+
+GitHub Security Lab (GHSL) reported a remote code execution (RCE)
+vulnerability in the Arvados Workbench allows authenticated attackers
+to execute arbitrary code via specially crafted JSON payloads.
+
+This vulnerability is fixed in 2.4.2.
+
+We believe the vulnerability exists all versions of Arvados up to 2.4.1.
+
+This vulnerability is specific to the Ruby on Rails Workbench
+application ("Workbench 1"). We do not believe any other Arvados
+components, including the TypesScript based Workbench ("Workbench 2")
+or API Server, are vulnerable to this attack.
+
+h3. CVE-2022-31163 and CVE-2022-32224
+
+As a precaution, Arvados 2.4.2 has includes security updates for Ruby
+on Rails and the TZInfo Ruby gem. However, there are no known
+exploits in Arvados based on these CVEs.
+
+h3. Disable Sharing URLs UI
+
+There is now a configuration option @Workbench.DisableSharingURLsUI@
+for admins to disable the user interface for "sharing link" feature
+(URLs which can be sent to users to access the data in a specific
+collection in Arvados without an Arvados account), for organizations
+where sharing links violate their data sharing policy.
+
+>>>>>>> d54486bf5 (Add upgrading notes refs #19330)
h2(#v2_4_1). v2.4.1 (2022-06-02)
"previous: Upgrading to 2.4.0":#v2_4_0
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list