chore: release notes for 1.3.4

artifacts/attributes.adoc

@@ -11,8 +11,8 @@
 :product-short: Developer Hub
 :product-very-short: RHDH
 :product-version: 1.3
-:product-bundle-version: 1.3.3
-:product-chart-version: 1.3.3
+:product-bundle-version: 1.3.4
+:product-chart-version: 1.3.4
 :product-backstage-version: 1.29.2
 :rhdeveloper-name: Red Hat Developer
 :rhel: Red Hat Enterprise Linux

assemblies/assembly-release-notes-fixed-security-issues.adoc

@@ -4,8 +4,15 @@
 
 This section lists security issues fixed in {product} {product-version}.
 
+
 == {product} {product-bundle-version}
 
+include::./modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc[leveloffset=+2]
+
+include::./modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc[leveloffset=+2]
+
+== {product} 1.3.3
+
 include::./modules/release-notes/snip-fixed-security-issues-in-product-1.3.3.adoc[leveloffset=+2]
 
 include::./modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.3.adoc[leveloffset=+2]

modules/release-notes/list-fixed-security-issues-in-product-1.3.4.txt

@@ -0,0 +1,8 @@
+# done in 1.3.4
+CVE-2024-56201, rhdh-hub-rhel9: Jinja has a sandbox breakout through malicious filenames
+CVE-2024-56326, rhdh-hub-rhel9: Jinja has a sandbox breakout through indirect reference to format method
+CVE-2024-55565, rhdh-hub-rhel9: nanoid mishandles non-integer values
+
+# to be done
+# CVE-2024-45338, rhdh-rhel9-operator: Non-linear parsing of case-insensitive content in golang.org/x/net/html
+# CVE-2024-52798, rhdh-hub-rhel9: path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x

modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt

@@ -0,0 +1,16 @@
+# https://errata.engineering.redhat.com/advisory/143859
+CVE-2024-9287, python 3.11: Virtual environment (venv) activation scripts don't quote paths 
+
+# TODO verify these are fixed in the latest rhdh-hub / operator containers
+
+# https://errata.engineering.redhat.com/advisory/144019, kernel-5.14.0-503.21.1.el9_5
+# CVE-2024-46713, kernel: perf/aux: Fix AUX buffer serialization 
+# CVE-2024-50208, kernel: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages 
+# CVE-2024-50252, kernel: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address 
+# CVE-2024-53122, kernel: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust 
+
+# https://errata.engineering.redhat.com/advisory/139648, skopeo-1.16.1-2.el9_5
+# CVE-2024-34156, encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion 
+
+# https://errata.engineering.redhat.com/advisory/143848, python3.9-3.9.21-1.el9_5
+# CVE-2024-11168, python 3.9: Improper validation of IPv6 and IPvFuture addresses 

modules/release-notes/ref-release-notes-breaking-changes.adoc

@@ -7,93 +7,93 @@ This section lists breaking changes in {product} {product-version}.
 [id="removed-functionality-rhidp-3048"]
 == The 'dynamic-plugins' config map is named dynamically
 
-Before this update, the dynamic-plugins config map name was hardcoded.
-Therefore, it was not possible to install two {product} helm charts in the same namespace.
-
-With this update, the dynamic-plugins config map is named dynamically based on the deployment name similar to how all other components names are generated. 
+Before this update, the dynamic-plugins config map name was hardcoded.
+Therefore, it was not possible to install two {product} helm charts in the same namespace.
+
+With this update, the dynamic-plugins config map is named dynamically based on the deployment name similar to how all other components names are generated. 
 When upgrading from a previous chart you might need to manually update that section of your `values.yaml` file to pull in the correct config map.
 
-
 .Additional resources
+
 * link:https://issues.redhat.com/browse/RHIDP-3048[RHIDP-3048]
 
 [id="removed-functionality-rhidp-3074"]
 == Signing in without user in the software catalog is now disabled by default
 
-By default, it is now required for the user entity to exist in the software catalog to allow sign in. 
-This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. 
-To bypass this, enable the `dangerouslySignInWithoutUserInCatalog` configuration that allows sign in without the user being in the catalog.
+By default, it is now required for the user entity to exist in the software catalog to allow sign in. 
+This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. 
+To bypass this, enable the `dangerouslySignInWithoutUserInCatalog` configuration that allows sign in without the user being in the catalog.
 Enabling this option is dangerous as it might allow unauthorized users to gain access.
 
-
 .Additional resources
+
 * link:https://issues.redhat.com/browse/RHIDP-3074[RHIDP-3074]
 
 [id="removed-functionality-rhidp-3187"]
 == {company-name} and Community Technology Preview (TP) plugins and actions are disabled by default
 
-Before this update, some {company-name} and Community Technology Preview (TP) plugins and actions were enabled by default:
-
-.Technology Preview plugins
-* @backstage-community/plugin-catalog-backend-module-scaffolder-relation-processor (changing in RHIDP-3643)
-
-.Community Support plugins
-* @backstage/plugin-scaffolder-backend-module-azure
-* @backstage/plugin-scaffolder-backend-module-bitbucket-cloud
-* @backstage/plugin-scaffolder-backend-module-bitbucket-server
-* @backstage/plugin-scaffolder-backend-module-gerrit
-* @backstage/plugin-scaffolder-backend-module-github
-* @backstage/plugin-scaffolder-backend-module-gitlab
-* @roadiehq/scaffolder-backend-module-http-request
-* @roadiehq/scaffolder-backend-module-utils
-
-With this update, all plugins included under the link:https://access.redhat.com/support/offerings/techpreview[Technology Preview scope of support], whether from {company-name} or the community, are disabled by default.
-
-.Procedure
-* If your workload requires these plugins, enable them in your custom resource or configmap using `disabled: false`. 
-
+Before this update, some {company-name} and Community Technology Preview (TP) plugins and actions were enabled by default:
+
+.Technology Preview plugins
+* @backstage-community/plugin-catalog-backend-module-scaffolder-relation-processor (changing in RHIDP-3643)
+
+.Community Support plugins
+* @backstage/plugin-scaffolder-backend-module-azure
+* @backstage/plugin-scaffolder-backend-module-bitbucket-cloud
+* @backstage/plugin-scaffolder-backend-module-bitbucket-server
+* @backstage/plugin-scaffolder-backend-module-gerrit
+* @backstage/plugin-scaffolder-backend-module-github
+* @backstage/plugin-scaffolder-backend-module-gitlab
+* @roadiehq/scaffolder-backend-module-http-request
+* @roadiehq/scaffolder-backend-module-utils
+
+With this update, all plugins included under the link:https://access.redhat.com/support/offerings/techpreview[Technology Preview scope of support], whether from {company-name} or the community, are disabled by default.
+
+.Procedure
+* If your workload requires these plugins, enable them in your custom resource or configmap using `disabled: false`. 
+
 //See https://github.com/redhat-developer/red-hat-developer-hub/blob/main/dynamic-plugins.default.yaml for examples.
 
-
 .Additional resources
+
 * link:https://issues.redhat.com/browse/RHIDP-3187[RHIDP-3187]
 
 [id="removed-functionality-rhidp-4293"]
 == Plugins with updated scope
 
-With this update, three plugins previously under the `@janus-idp` scope have moved to `@backstage-community`:
-
-[%header,cols=2*]
-|===
-|*RHDH 1.2 Plugin Name* |*RHDH 1.3 Plugin Name*
-
-| `@janus-idp/backstage-plugin-argocd`
-| `@backstage-community/plugin-redhat-argocd`
-
-| `@janus-idp/backstage-plugin-3scale-backend`
-| `@backstage-community/plugin-3scale-backend`
-
-| `@janus-idp/backstage-plugin-catalog-backend-module-scaffolder-relation-processor`
-| `@backstage-community/plugin-catalog-backend-module-scaffolder-relation-processor`
-|===
-
-As the scope of the previous plugins has been updated, the dynamic plugin configuration has also changed.
-
-[%header,cols=2*]
-|===
-|*RHDH 1.2 Configuration* |*RHDH 1.3 Configuration*
-
-| link:https://github.com/redhat-developer/rhdh/blob/1.2.x/dynamic-plugins.default.yaml[dynamic-plugins.default.yaml]
-| link:https://github.com/redhat-developer/rhdh/blob/release-1.3/dynamic-plugins.default.yaml[dynamic-plugins.default.yaml]
-|===
-
-.Procedure
-* If your workload requires plugins with an updated scope, revise your configuration to use the latest plugins from the new scope.
-
-//See https://github.com/redhat-developer/red-hat-developer-hub/blob/main/dynamic-plugins.default.yaml for examples.
-
+With this update, three plugins previously under the `@janus-idp` scope have moved to `@backstage-community`:
+
+[%header,cols=2*]
+|===
+|*RHDH 1.2 Plugin Name* |*RHDH 1.3 Plugin Name*
+
+| `@janus-idp/backstage-plugin-argocd`
+| `@backstage-community/plugin-redhat-argocd`
+
+| `@janus-idp/backstage-plugin-3scale-backend`
+| `@backstage-community/plugin-3scale-backend`
+
+| `@janus-idp/backstage-plugin-catalog-backend-module-scaffolder-relation-processor`
+| `@backstage-community/plugin-catalog-backend-module-scaffolder-relation-processor`
+|===
+
+As the scope of the previous plugins has been updated, the dynamic plugin configuration has also changed.
+
+[%header,cols=2*]
+|===
+|*RHDH 1.2 Configuration* |*RHDH 1.3 Configuration*
+
+| link:https://github.com/redhat-developer/rhdh/blob/1.2.x/dynamic-plugins.default.yaml[dynamic-plugins.default.yaml]
+| link:https://github.com/redhat-developer/rhdh/blob/release-1.3/dynamic-plugins.default.yaml[dynamic-plugins.default.yaml]
+|===
+
+.Procedure
+* If your workload requires plugins with an updated scope, revise your configuration to use the latest plugins from the new scope.
+
+//See https://github.com/redhat-developer/rhdh/blob/main/dynamic-plugins.default.yaml for examples.
 
 .Additional resources
+
 * link:https://issues.redhat.com/browse/RHIDP-4293[RHIDP-4293]
 
 

modules/release-notes/ref-release-notes-deprecated-functionalities.adoc

@@ -7,56 +7,56 @@ This section lists deprecated functionalities in {product} {product-version}.
 [id="deprecated-functionality-rhidp-1138"]
 == `spec.application.image`, `spec.application.replicas` and `spec.application.imagePullSecrets` fields are deprecated
 
-`spec.application.image`, `spec.application.replicas` and `spec.application.imagePullSecrets` fields are deprecated in `v1alpha2` in favour of `spec.deployment`. 
-
-Procedure:
-
-To update your {product-short} Operation configuration:
-
-. Remove the `spec.application.image`, `spec.application.replicas` and `spec.application.imagePullSecrets` fields from the Operator configuration:
-+
-[source,yaml]
-----
-spec:
-  application:
-    replicas: 2 # <1>
-    imagePullSecrets: # <2>
-      - my-secret-name
-    image: quay.io/my/my-rhdh:latest # <3>
-----
-<1> Replica count.
-<2> Array of image pull secrets names.
-<3> Image name.
-
-
-. Replace the removed fields by new `spec.deployment` fields, such as:
-+
-[source,yaml]
-----
-spec:
-  deployment:
-    patch:
-      spec:
-        replicas: 2 # <1>
-        imagePullSecrets: # <2>
-          - name: my-secret-name
-        template:
-          metadata:
-            labels:
-              my: true
-          spec:
-            containers:
-              - name: backstage-backend
-                image: quay.io/my/my-rhdh:latest # <3>
-----
-<1> Replica count.
-<2> Array of image pull secrets names.
-<3> Image name.
-
+`spec.application.image`, `spec.application.replicas` and `spec.application.imagePullSecrets` fields are deprecated in `v1alpha2` in favour of `spec.deployment`. 
+
+Procedure:
+
+To update your {product-short} Operation configuration:
+
+. Remove the `spec.application.image`, `spec.application.replicas` and `spec.application.imagePullSecrets` fields from the Operator configuration:
++
+[source,yaml]
+----
+spec:
+  application:
+    replicas: 2 # <1>
+    imagePullSecrets: # <2>
+      - my-secret-name
+    image: quay.io/my/my-rhdh:latest # <3>
+----
+<1> Replica count.
+<2> Array of image pull secrets names.
+<3> Image name.
+
+
+. Replace the removed fields by new `spec.deployment` fields, such as:
++
+[source,yaml]
+----
+spec:
+  deployment:
+    patch:
+      spec:
+        replicas: 2 # <1>
+        imagePullSecrets: # <2>
+          - name: my-secret-name
+        template:
+          metadata:
+            labels:
+              my: true
+          spec:
+            containers:
+              - name: backstage-backend
+                image: quay.io/my/my-rhdh:latest # <3>
+----
+<1> Replica count.
+<2> Array of image pull secrets names.
+<3> Image name.
+
 // https://github.com/redhat-developer/rhdh-operator/blob/main/docs/configuration.md#deployment-parameters
 
-
 .Additional resources
+
 * link:https://issues.redhat.com/browse/RHIDP-1138[RHIDP-1138]