RHIDP-5618 Release notes for Red Hat Developer Hub 1.4.2

themr0c · themr0c · commit 392403e0bf01 · 2025-02-06T14:52:12.000+01:00
Signed-off-by: Fabrice Flore-Thébault &lt;ffloreth@redhat.com&gt;
diff --git a/artifacts/attributes.adoc b/artifacts/attributes.adoc
@@ -12,8 +12,8 @@
 :product-very-short: RHDH
 :product-version: 1.4
 :product-version-next: 1.5.0
-:product-bundle-version: 1.4.1
-:product-chart-version: 1.4.1
+:product-bundle-version: 1.4.2
+:product-chart-version: 1.4.2
 :product-backstage-version: 1.32.6
 :product-custom-resource-type: Backstage
 :rhdeveloper-name: Red Hat Developer
diff --git a/assemblies/assembly-release-notes-fixed-security-issues.adoc b/assemblies/assembly-release-notes-fixed-security-issues.adoc
@@ -5,6 +5,12 @@
 This section lists security issues fixed in {product} {product-version}.
 
 == {product} {product-bundle-version}
+include::./modules/release-notes/snip-fixed-security-issues-in-product-1.4.2.adoc[leveloffset=+2]
+
+// nothing yet so don't include this
+// include::./modules/release-notes/snip-fixed-security-issues-in-rpm-1.4.2.adoc[leveloffset=+2]
+
+== {product} 1.4.1
 
 include::./modules/release-notes/snip-fixed-security-issues-in-product-1.4.1.adoc[leveloffset=+2]
 
diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.4.2.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.4.2.txt
@@ -0,0 +1 @@
+CVE-2025-22150
diff --git a/modules/release-notes/list-fixed-security-issues-in-rpm-1.4.2.txt b/modules/release-notes/list-fixed-security-issues-in-rpm-1.4.2.txt
diff --git a/modules/release-notes/snip-fixed-security-issues-in-product-1.4.2.adoc b/modules/release-notes/snip-fixed-security-issues-in-product-1.4.2.adoc
@@ -0,0 +1,4 @@
+= {product} dependency updates
+
+link:https://access.redhat.com/security/cve/CVE-2025-22150[CVE-2025-22150]::
+A flaw was found in the undici package for Node.js. Undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If an app has a mechanism that sends multipart requests to an attacker-controlled website, it can leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met.
diff --git a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.4.2.adoc b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.4.2.adoc
@@ -0,0 +1 @@
+= RHEL 9 platform RPM updates
