[arvados] Arvados 2.4.2 released

peter.amstutz at curii.com peter.amstutz at curii.com
Thu Aug 11 19:18:36 UTC 2022


Hello ,

The Arvados team is pleased to announce Arvados 2.4.2.

This release includes a critical security update to address vulnerability
GHSL-2022-063, described below. We strongly recommend that *all*
installations of Arvados, especially those accessible via the public
Internet, upgrade to 2.4.2 as soon as possible. See Upgrading Arvados
<https://doc.arvados.org/v2.4/admin/upgrading.html> for upgrade
instructions.

In addition, this release includes several performance improvements,
usability improvements, and bug fixes.
Security updates GHSL-2022-063

GitHub Security Lab (GHSL) reported a remote code execution (RCE)
vulnerability in the Arvados Workbench that allows authenticated attackers
to execute arbitrary code via specially crafted JSON payloads.

This vulnerability is fixed in 2.4.2 (#19316
<https://dev.arvados.org/issues/19316>)

It is likely that this vulnerability exists in all versions of Arvados up
to 2.4.1.

This vulnerability is specific to the Ruby on Rails Workbench application
(“Workbench 1”). We do not believe any other Arvados components, including
the TypesScript browser-based Workbench application (“Workbench 2”) or API
Server, are vulnerable to this attack.
CVE-2022-31163 and CVE-2022-32224

As a precaution, Arvados 2.4.2 includes security updates for Ruby on Rails
and the TZInfo Ruby gem. However, there are no known exploits in Arvados
based on these CVEs.
New Features

#18984 <https://dev.arvados.org/issues/18984>

The “Type” column filters in the Workbench 2 Projects view are now expanded
by default, and intermediate workflow steps are now hidden by default.

#18203 <https://dev.arvados.org/issues/18203>

In Workbench 2, after adding a metadata element to a Project or Collection,
the “key” is not cleared and focus remains on the “value” field, making it
easier to enter multiple values for the same key.

#19177 <https://dev.arvados.org/issues/19177>

There is now a configuration option for admins to disable the user
interface for the “sharing link” feature (URLs which can be sent to users
to access the data in a specific collection in Arvados without an Arvados
account), for organizations where sharing links violate their data sharing
policy.

#18975 <https://dev.arvados.org/issues/18975>

Workflow logs on Workbench 2 now show “Main logs” by default, which is a
combination of the crunch-run, stdout and stderr logs. Following scrolling
has also been improved.

#16070 <https://dev.arvados.org/issues/16070>

Workbench 2 now features a new panel showing the command line used to
invoke a workflow or workflow step.

#19231 <https://dev.arvados.org/issues/19231>

Workbench 2 now has options for smaller page sizes (10 and 20 items) to
speed up loading project contents.

#19282 <https://dev.arvados.org/issues/19282> #19220
<https://dev.arvados.org/issues/19220>

Added new method to the Java SDK to upload files via Keep Web API. The Java
SDK uses config parameter to fetch api token in KeepClient.
Bug Fixes

#19192 <https://dev.arvados.org/issues/19192>

Fixed an internal, silent failure in keep-web that would prevent use of the
manifest cache after keep-web was running for a while, resulting in poor
performance accessing files in Keep via HTTP, WebDAV and S3 APIs until the
service was restarted. keep-web now correctly uses the cache and maintains
consistent performance.

#19153 <https://dev.arvados.org/issues/19153>

In the Workbench 2 collection file browser, following the URL resulting
from “Copy to clipboard” will now open the file content in the browser,
instead of forcing a file download.

#19297 <https://dev.arvados.org/issues/19297>

Workbench 2 advanced search by metadata property now works as intended,
instead of returning an error.

#19305 <https://dev.arvados.org/issues/19305>

When using the “breadcrumbs bar” to edit Project properties, the existing
metadata properties are now loaded correctly.

#19296 <https://dev.arvados.org/issues/19296>

Fixed Python SDK bug in Collection.remove where the recursive flag was not
propagated, preventing removal of more than one level of directories.
Recursively removing deep directory trees in Collections now works as
intended.

#18965 <https://dev.arvados.org/issues/18965>

When navigating to destination on Workbench 2 but not logged in, the user
is redirected to a login page, and after logging in, now correctly
navigated back to the page they intended to visit.

#19142 <https://dev.arvados.org/issues/19142>

Workbench 2 “All processes” and “Subprocesses” panels now load faster by
limiting which fields of the container record are requested.

#19321 <https://dev.arvados.org/issues/19321>

When launching a workflow on Workbench 1, workflow inputs with “enum” type
are now displayed and set correctly.

#19280 <https://dev.arvados.org/issues/19280>

When submitting very large workflows with arvados-cwl-runner, particularly
those defined entirely in a single file, the time spent in initialization
(before the first workflow step is submitted) has been greatly reduced.


Thanks,

The Arvados Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.arvados.org/pipermail/arvados/attachments/20220811/982b758f/attachment.html>


More information about the arvados mailing list