From 718708f1a4f6544194be161f3ac73f62b5ee7b97 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Mon, 9 Oct 2023 12:51:29 -0400 Subject: [PATCH] Update rns (#870) * update release 3.0 notes for security patches * go ahead an bump the release too --- source/conf.py | 2 +- source/release-notes/v3.0-release-notes.rst | 17 ++++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/source/conf.py b/source/conf.py index 3bfce57a..b2917911 100644 --- a/source/conf.py +++ b/source/conf.py @@ -70,7 +70,7 @@ # The short X.Y version. version = u'3.0' # The full version, including alpha/beta/rc tags. -release = u'3.0.0' +release = u'3.0.3' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/source/release-notes/v3.0-release-notes.rst b/source/release-notes/v3.0-release-notes.rst index 30aa1aca..9e4e9216 100644 --- a/source/release-notes/v3.0-release-notes.rst +++ b/source/release-notes/v3.0-release-notes.rst @@ -5,7 +5,9 @@ v3.0 Release Notes .. warning:: - There are some breaking changes in 3.0. See the upgrade directions below for details. + 3.0 has security fixes that no prior release has. + + There are also some breaking changes in 3.0. See the upgrade directions below for details. Administrative changes @@ -63,6 +65,19 @@ time contributing to Open OnDemand. If we've missed listing anyone here, please let us know! +Security Fixes +-------------- + +Versions prior to 3.0 are vulnerable to these security related issues: + +* ``OOD_ALLOWLIST_PATH`` can be circumvented in several scenarios. +* Users may inject malicous Ruby code into certian user owned ERB files + that the system reads. + +These have been fixed in version 3.0.2 and up. Thank you to the +the team at CSC - IT Center for Science, Finland for disclosing +these. + Details of administrative changes ---------------------------------