CVE-2024-56334 now fixed in 1.4.1

Signed-off-by: Nick Boldt <[email protected]>

add CVE-2024-56334 to snip-fixed-security-issues-in-product-1.4.1.adoc

Signed-off-by: Nick Boldt <[email protected]>

add spaces back into the generated RN

Signed-off-by: Nick Boldt <[email protected]>

more fixes from JIRA updates

Signed-off-by: Nick Boldt <[email protected]>

Author: nickboldt

modules/release-notes/list-fixed-security-issues-in-product-1.4.1.txt

@@ -3,6 +3,4 @@ CVE-2024-56201, rhdh/rhdh-hub-rhel9: Jinja has a sandbox breakout through malici
 CVE-2024-56326, rhdh/rhdh-hub-rhel9: Jinja has a sandbox breakout through indirect reference to format method
 CVE-2024-55565, rhdh-hub-container: nanoid mishandles non-integer values
 CVE-2024-52798, rhdh-hub-container: path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x
-
-# not yet fixed for 1.4.z
-# CVE-2024-56334, rhdh/rhdh-hub-rhel9: Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation
+CVE-2024-56334, rhdh/rhdh-hub-rhel9: Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation

modules/release-notes/ref-release-notes-breaking-changes.adoc

@@ -8,8 +8,11 @@ This section lists breaking changes in {product} {product-version}.
 == Updated monitoring and logging metrics
 
 Prom-client metrics have been removed and replaced with OpenTelemetry metrics. As a result, the metrics port has changed from `7007` to `9464`. Deprecated metrics have also been removed. If you had dependencies on these, ensure your prometheus queries are updated. For further information, see link:https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.3/html-single/monitoring_and_logging/index#assembly-rhdh-observability[Monitoring and logging]
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-4572[RHIDP-4572]
+
 [id="removed-functionality-rhidp-4853"]
 ==  Plugins with updated scope
 
@@ -86,6 +89,10 @@ With the update to the plugin scope, the dynamic plugin configuration has also b
 ====
 In addition to the previously provided tables, you can compare the link:https://github.com/redhat-developer/red-hat-developers-documentation-rhdh/blob/release-1.4/modules/dynamic-plugins/rhdh-supported-plugins.csv[RHDH 1.4 CSV file] with the link:https://github.com/redhat-developer/red-hat-developers-documentation-rhdh/blob/release-1.3/modules/dynamic-plugins/rhdh-supported-plugins.csv[RHDH 1.3 CSV file] to identify the changes in dynamic plugins.
 ====
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-4853[RHIDP-4853]
 
+
+

modules/release-notes/ref-release-notes-deprecated-functionalities.adoc

@@ -8,18 +8,28 @@ This section lists deprecated functionalities in {product} {product-version}.
 == `./dynamic-plugins/dist/janus-idp-backstage-plugin-aap-backend-dynamic` plugin is deprecated
 
 The `./dynamic-plugins/dist/janus-idp-backstage-plugin-aap-backend-dynamic` plugin has been deprecated and will be removed in the next release. You can link:https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html-single/using_ansible_plug-ins_for_red_hat_developer_hub/index[use Ansible plug-ins for {product-very-short}] instead.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-3545[RHIDP-3545]
+
 [id="deprecated-functionality-rhidp-4913"]
 == Audit log rotation is deprecated
 
 With this update, you can evaluate your platform's log forwarding solutions to align with your security and compliance needs. Most of these solutions offer configurable options to minimize the loss of logs in the event of an outage.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-4913[RHIDP-4913]
+
 [id="deprecated-functionality-rhidp-5218"]
 == {rhsso-brand-name} `7.6` is deprecated as an authentication provider
 
 {rhsso-brand-name} ({rhsso}) `7.6` is deprecated as an authentication provider. You can continue to use {rhsso} until the end of maintenance support. For details, see link:https://access.redhat.com/support/policy/updates/jboss_notes/#p_sso[RHSSO lifecycle dates]. As an alternative, migrate to {rhbk-brand-name} `v24`.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-5218[RHIDP-5218]
 
+
+

modules/release-notes/ref-release-notes-fixed-issues.adoc

@@ -13,91 +13,121 @@ Previously, the GitHub issues plugin defaulted to using the first GitHub integra
 
 Now, GitHub issues plugin supports multiple GitHub integration hosts. It uses the well-known entity slug annotation `backstage.io/source-location` or `backstage.io/managed-by-location` to determine the appropriate GitHub integration for a component. If no integration matches the slug, the first GitHub integration is selected, maintaining the previous behavior.
 
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-2727[RHIDP-2727]
 
+
 [id="bug-fix-rhidp-2903"]
 === All API documentation is defined in the 3scale backend plugin
 
 Previously, some API documentation defined in the 3scale backend plugin was not accessible in {product-very-short}.
 
 With this update, all API documentation defined in the 3scale backend plugin is imported and merged in the {product-very-short}.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-2903[RHIDP-2903]
 
+
 [id="bug-fix-rhidp-3115"]
 === {product-very-short} helm chart deployment throws `NotAllowedError`
 
 Previously, when deploying with the Helm Chart, there could be a mismatch between the Route hostname and the `baseUrl` fields added to the generated app-config ConfigMap. This could sometimes cause failure to authenticate against some providers due to an origin mismatch.
 
 This update fixes this issue by ensuring no mismatch between those values.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-3115[RHIDP-3115]
 
+
 [id="bug-fix-rhidp-3849"]
 === Disable the creation of permission policies and roles when disabling the RBAC backend plugin
 
 Previously, disabling the Role-Based Access Control (RBAC) backend plugin created roles and permission policies, whether the permission framework was enabled or not.
 
 With this update, disabling the RBAC backend plugin no longer creates roles and permission policies.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-3849[RHIDP-3849]
 
+
 [id="bug-fix-rhidp-3931"]
 === Added alert on the deletion icon during bulk imports
 
 Before this update, repositories were added to the {product-short} from various sources, such as `app-config` files or GitHub discovery. The Bulk Import plugin only tracked repositories accessible using the configured GitHub integrations. When both plugins were enabled, repositories discovered by GitHub Discovery appeared on Bulk Import pages. However, deleting these repositories from Bulk Import Jobs had no effect, as entities from discovery or `app-config.yaml` file remained in the {product-short} catalog.
 
 With this update, an alert on the deletion icon notifies the user to modify the source (either the `catalog-info` within the repository or the `app-config.yaml` file if the file originates from there) to remove the catalog entity.
 
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-3931[RHIDP-3931]
 
+
 [id="bug-fix-rhidp-4240"]
 === Removed the pre-configured custom resources from the Kubernetes configuration
 
 Before this update, the custom resources in Kubernetes configuration were pre-configured. As a result, users could see Tekton warnings without configuring the custom resources in Kubernetes.
 
 This update removes the pre-configured custom resources from the Kubernetes configuration. Therefore, users can customize resources to the Kubernetes configuration based on their requirements, preventing unrelated warnings from appearing.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-4240[RHIDP-4240]
 
+
 [id="bug-fix-rhidp-4241"]
 === RBAC Plugin is broken with latest Backstage version (`1.31`)
 
 Before this update, Role-Based Access Control (RBAC) backend plugin broke in Backstage `1.31` with an error.
 
 This update resolves compatibility issues with RBAC backend plugin on Backstage versions `1.31` and `1.32` without displaying any errors.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-4241[RHIDP-4241]
 
+
 [id="bug-fix-rhidp-4732"]
 === The backstage instance always failed to start in version `5.1.0`
 
 Before this update, the backstage instance failed to start in version `5.1.0`, showing an error.
 
 With this update, the Role-Based Access Control (RBAC) Backend plugin now starts successfully in version `5.1.0` without displaying any errors.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-4732[RHIDP-4732]
 
+
 [id="bug-fix-rhidp-4734"]
 === Resolved RBAC API inconsistency when scaling deployments to more than one pod
 
 Before this update, scaling the deployment to more than one pod caused Role-Based Access Control (RBAC) roles to remain unsynced, allowing only the pod that created the resource to serve it.
 
 With this update, RBAC roles are now properly synced across all pods, with Redis cache and traffic routing configured to ensure consistency across the deployment.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-4734[RHIDP-4734]
 
+
 [id="bug-fix-rhidp-5014"]
 === `export-dynamic-plugin` fails to find dependencies nested deeper than one level in `node_modules`
 
-Previously, the CLI examined the dependencies of embedded packages during the export process to know if other packages should be embedded. One of the methods was calling {{require}} when the CLI encountered a built embedded package, which was the case when wrapping an existing plugin. 
+Previously, the CLI examined the dependencies of embedded packages during the export process to know if other packages should be embedded. One of the methods was calling `require` when the CLI encountered a built embedded package, which was the case when wrapping an existing plugin. 
 
-This update changes the parent directory that the {{require}} uses from the monorepo root to the embedded package. Therefore, the dependent package found is the dependency that is most relevant to the embedded package.
+This update changes the parent directory that the `require` uses from the monorepo root to the embedded package. Therefore, the dependent package found is the dependency that is most relevant to the embedded package.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-5014[RHIDP-5014]
 
+
 [id="bug-fix-rhidp-5062"]
 === `suppress-native-package` and `allow-native-package` flags to handle native modules
 
@@ -107,40 +137,56 @@ This update introduces two new CLI flags that help dynamic plugin developers han
 
 
 
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-5062[RHIDP-5062]
 
+
 [id="bug-fix-rhidp-5120"]
 ===  Resolved the issue with text selection when reporting a TechDoc issue
 
 Previously, the feature to report a documentation (TechDoc) issue failed. Therefore, when a user selected a text in a TechDoc, a large icon appeared instead of a tooltip button.
 
 With this update, users can select texts when reporting a documentation (TechDoc) issue.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-5120[RHIDP-5120]
 
+
 [id="bug-fix-rhidp-5136"]
 === Resolved the `stdout maxBuffer` error
 
 Previously, the `export-dynamic-plugin` failed with an error that the `stdout maxBuffer` length was exceeded.
 
-With this update, the CLI redirects the output of the {{yarn install}} command it performs during the export process to a file. Therefore, a successful completion of the {{yarn install}} command and verification of the `export-dynamic-plugin`, cleans up the file. The file is available for troubleshooting when the dynamic plugin validation checks fail.
+With this update, the CLI redirects the output of the `yarn install` command it performs during the export process to a file. Therefore, a successful completion of the `yarn install` command and verification of the `export-dynamic-plugin`, cleans up the file. The file is available for troubleshooting when the dynamic plugin validation checks fail.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-5136[RHIDP-5136]
 
+
 [id="bug-fix-rhidp-5141"]
 === Added an `--ignore-version-check` flag
 
 Previously, exporting a plugin that has not been updated to a newer backstage version failed due to a semver check performed on dependencies of the dynamic plugin package.
 
 With this update, an `--ignore-version-check` flag accepts a list of package names causing the CLI to selectively ignore the semver check the CLI performs when evaluating the plugin package dependencies. Therefore, a plugin that has not been updated works because it relies on unchanged interfaces and functions. 
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-5141[RHIDP-5141]
 
+
 [id="bug-fix-rhidp-5297"]
 === Updated the Tech Radar plugin
 
 With this update, you are now required to enable both `./dynamic-plugins/dist/backstage-community-tech-radar` and `./dynamic-plugins/dist/backstage-community-tech-radar-backend-dynamic` to use the Tech Radar plugin. You must configure additional settings depending on where you choose to load the JSON data for the plugin.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-5297[RHIDP-5297]
 
+
+

modules/release-notes/ref-release-notes-known-issues.adoc

@@ -10,22 +10,32 @@ This section lists known issues in {product} {product-version}.
 Currently, when deploying {product-short} using the Helm Chart, two replicas cannot run on different cluster nodes. This might also affect the upgrade from 1.3 to 1.4.0 if the new pod is scheduled on a different node.
 
 A possible workaround for the upgrade is to manually scale down the number of replicas to 0 before upgrading your Helm release. Or manually remove the old {product-short} pod after upgrading the Helm release. However, this would imply some application downtime. You can also leverage a Pod Affinity rule to force the cluster scheduler to run your {product-short} pods on the same node.
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-5344[RHIDP-5344]
+
 [id="known-issue-rhidp-5342"]
-== [Helm] Cannot run 2 RHDH replicas on different nodes due to Multi-Attach errors on the dynamic plugins root PVC
+== [Helm] Cannot run two RHDH replicas on different nodes due to Multi-Attach errors on the dynamic plugins root PVC
 
 If you are deploying {product-short} using the Helm Chart, it is currently impossible to have 2 replicas running on different cluster nodes. This might also affect the upgrade from 1.3 to 1.4.0 if the new pod is scheduled on a different node.
 
 A possible workaround for the upgrade is to manually scale down the number of replicas to 0 before upgrading your Helm release. Or manually remove the old {product-short} pod after upgrading the Helm release. However, this would imply some application downtime.
 You can also leverage a Pod Affinity rule to force the cluster scheduler to run your {product-short} pods on the same node.
 
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-5342[RHIDP-5342]
+
 [id="known-issue-rhidp-3396"]
 == Topology plugin permission is not displayed in the RBAC front-end UI
 
 Permissions associated only with front-end plugins do not appear in the UI because they require a backend plugin to expose the permission framework's well-known endpoint. As a workaround, you can apply these permissions by using a CSV file or directly calling the REST API of the RBAC backend plugin. Affected plugins include Topology (`topology.view.read`), Tekton (`tekton.view.read`), ArgoCD (`argocd.view.read`), and Quay (`quay.view.read`).
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-3396[RHIDP-3396]
 
+
+

modules/release-notes/ref-release-notes-new-features.adoc

@@ -8,26 +8,30 @@ This section highlights new features in {product} {product-version}.
 == Added an individual `mountPath`
 
 This update adds an additional individual `mountPath` for extra configmaps or secrets.
+
 [id="feature-rhidp-3621"]
 == `PersistentVolumeClaims` support is available
 
 With this update, link:https://github.com/redhat-developer/rhdh-operator/blob/main/docs/configuration.md#persistentvolumeclaims[`PersistentVolumeClaims` (PVC)] support is available.
+
 [id="feature-rhidp-3817"]
 == Added Configuration Profiles
 
 With this update, there are additional link:https://github.com/redhat-developer/rhdh-operator/blob/main/docs/profiles.md[configuration profiles].
+
 [id="enhancement-rhidp-4384"]
 == Enhanced use of `kube-rbac-proxy`
 
 This update removes the `kube-rbac-proxy` sidecar container from the RHDH Operator Pod. This sidecar container protected the operator metrics endpoint. However, the main container now provides this functionality out-of-the-box. Removing this sidecar container allows for reducing the resources required to run the Operator.
+
 [id="feature-rhidp-4414"]
 == Identifying Backstage flavor for plugins by using the `developerHub.flavor` field
 
 With this update, you can use the `developerHub.flavor` field to identify whether plugins are running on {product-very-short}, {rhtap-very-short}, or vanilla Backstage, as shown in the following example:
 
 .`app-config.yaml` fragment with the `developerhub.flavor` field
 
-[source,yaml]
+[source,yaml,subs="quotes"]
 ----
 developerHub:
   flavor: <flavor>;
@@ -36,24 +40,30 @@ developerHub:
 `flavor`::
 Identify the flavor of Backstage that is running. Default value: `rhdh`
 
+
 [id="feature-rhidp-4419"]
 == Ability to manage PVCs in RHDH Operator
 
 You can now mount directories from pre-created PersistentVolumeClaims (PVCs) using the `spec.application.extraFiles.pvcs` field, while configuring RHDH Operator.
 For more information, see link:https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.4/html-single/configuring/index#configuring-the-deployment[Persistent Volume Claim (PVC)].
 
+
 [id="feature-rhidp-4805"]
 == Authenticating with {rhbk-brand-name}
 
 With this update, you can use {rhbk-brand-name} as an authentication provider. The Keycloak plugin will now support ingesting users and groups with {rhbk-brand-name}. For more details, see link:https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/getting_started_guide/index#getting-started-zip-start-red-hat-build-of-keycloak[Authentication with {rhbk-brand-name}].
+
 [id="feature-rhidp-4806"]
 == Ability to install third-party plugins in RHDH
 
 You can now install third-party plugins in {product} without rebuilding the {product-very-short} application.
 
 For more information, see link:https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.4/html-single/introduction_to_plugins/index[Third party plugins].
+
 [id="feature-rhidp-5156"]
 ==  The catalog backend module logs plugin is enabled
 
 With this update, the `backstage-plugin-catalog-backend-module-logs` is enabled and converted to a static plugin improving performance and stability. The dynamic plugin was disabled in version `1.3`.
 
+
+

modules/release-notes/ref-release-notes-technology-preview.adoc

@@ -24,6 +24,10 @@ With this update, {product-short} includes the following dynamic plugins to mana
 
 These plugins are disabled by default.
 
+
+
 .Additional resources
 * link:https://issues.redhat.com/browse/RHIDP-5545[RHIDP-5545]
 
+
+

modules/release-notes/single-source-release-notes-template.adoc.jinja

@@ -16,6 +16,10 @@
 == {{ issue.fields.summary }}
 {% endif %}
 {{ issue.fields.customfield_12317313 }}
-{% if template == "with-jira-link" or template == "with-z-stream-section" %}.Additional resources
+{% if template == "with-jira-link" or template == "with-z-stream-section" %}
+
+.Additional resources
 * link:https://issues.redhat.com/browse/{{ issue.key }}[{{ issue.key }}]
-{% endif %}{% endfor %}{% if not vars -%}None.{% endif -%}
+{% endif %}
+{% endfor %}
+{% if not vars -%}None.{% endif -%}