Merge branch 'latest' into develop

OSC · Oct 9, 2023 · 467ffe1 · 467ffe1
2 parents eee4695 + 718708f
commit 467ffe1
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/source/conf.py b/source/conf.py
@@ -70,7 +70,7 @@
 # The short X.Y version.
 version = u'3.0'
 # The full version, including alpha/beta/rc tags.
-release = u'3.0.0'
+release = u'3.0.3'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

diff --git a/source/release-notes/v3.0-release-notes.rst b/source/release-notes/v3.0-release-notes.rst
@@ -5,7 +5,9 @@ v3.0 Release Notes
 
 .. warning::
 
-   There are some breaking changes in 3.0. See the upgrade directions below for details.
+  3.0 has security fixes that no prior release has.
+
+  There are also some breaking changes in 3.0. See the upgrade directions below for details.
 
 
 Administrative changes
@@ -63,6 +65,19 @@ time contributing to Open OnDemand.
 
 If we've missed listing anyone here, please let us know!
 
+Security Fixes
+--------------
+
+Versions prior to 3.0 are vulnerable to these security related issues:
+
+* ``OOD_ALLOWLIST_PATH`` can be circumvented in several scenarios.
+* Users may inject malicous Ruby code into certian user owned ERB files
+  that the system reads.
+
+These have been fixed in version 3.0.2 and up. Thank you to the
+the team at CSC - IT Center for Science, Finland for disclosing
+these.
+
 Details of administrative changes
 ---------------------------------