[arvados] updated: 2.1.0-2929-g4dda327f4

git repository hosting git at public.arvados.org
Thu Sep 22 19:33:12 UTC 2022 

Summary of changes:
 doc/admin/upgrading.html.textile.liquid | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

       via  4dda327f44e3ad7c700a8f5cee4dc530292fba7d (commit)
      from  a9be3117466506dffc39617be1c58406c5914e4b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 4dda327f44e3ad7c700a8f5cee4dc530292fba7d
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Wed Sep 21 17:09:02 2022 -0400

    Add upgrade notes for 2.4.3
    
    refs #19532
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index b034ba35d..7ee8fbb08 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -28,9 +28,10 @@ TODO: extract this information based on git commit messages and generate changel
 <div class="releasenotes">
 </notextile>
 
-h2(#main). development main (as of 2022-08-09)
 
-"previous: Upgrading to 2.4.2":#v2_4_2
+h2(#main). development main (as of 2022-09-21)
+
+"previous: Upgrading to 2.4.3":#v2_4_3
 
 h3. Renamed keep-web metrics and WebDAV configs
 
@@ -38,6 +39,22 @@ Metrics previously reported by keep-web (@arvados_keepweb_collectioncache_reques
 
 The config entries @Collections.WebDAVCache.UUIDTTL@, @...MaxCollectionEntries@, and @...MaxUUIDEntries@ are no longer used, and should be removed from your config file.
 
+h2(#v2_4_3). v2.4.3 (2022-09-21)
+
+"previous: Upgrading to 2.4.2":#v2_4_2
+
+h3. Fixed PAM authentication security vulnerability
+
+In Arvados 2.4.2 and earlier, when using PAM authentication, if a user
+presented valid credentials but the account is disabled or otherwise
+not allowed to access the host, it would still be accepted for access
+to Arvados.  From 2.4.3 onwards, Arvados now also checks that the
+account is permitted to access the host before completing the PAM login
+process.
+
+Other authentication methods (LDAP, OpenID Connect) are not affected
+by this flaw.
+
 h2(#v2_4_2). v2.4.2 (2022-08-09)
 
 "previous: Upgrading to 2.4.1":#v2_4_1

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list