AWS parallelcluster high security documentation change
Summary
Added security section detailing dependency upgrades to address multiple CVEs and CWEs
Security assessment
Explicitly lists security-related dependency upgrades with CVE/CWE references, indicating vulnerability fixes
Diff
diff --git a/parallelcluster/latest/ug/document_history.md b/parallelcluster/latest/ug/document_history.md index 1eb187229..3eb9fbcb2 100644 --- a//parallelcluster/latest/ug/document_history.md +++ b//parallelcluster/latest/ug/document_history.md @@ -874,0 +875,31 @@ PCUI Change | Description | Date +PCUI version 2025.04.0 released | PCUI version 2025.04.0 released Breaking changes: + + * Remove default value for the PC version. Now the user must specify the PC version to use. + +Features: + + * Add new stack parameter '`AdditionalPoliciesPCAPI`' to add custom permissions for the ParallelCluster API Lambda role, in addition to the default ones. + +Bug fixes: + + * Fix PCUI deployment in private subnets by making the PCUI template use and return the correct URLs. + * Fix an issue that prevents the loading of 200+ jobs in the Job status Tab. (See [ https://github.com/aws/aws-parallelcluster-ui/issues/376](https://github.com/aws/aws-parallelcluster-ui/issues/376)). + +Security: + + * Upgrade Python from 3.9 to 3.12. + * Upgrade cross-spawn from 7.0.3 to 7.0.6 to address vulnerability [CVE-2024-21538](https://nvd.nist.gov/vuln/detail/CVE-2024-21538). + * Upgrade requests from 2.31.0 to 2.32.0 to address [CVE-2024-35195](https://nvd.nist.gov/vuln/detail/cve-2024-35195). + * Upgrade urllib3 from 1.26.18 to 1.26.19 to address [CVE-2024-37891](https://nvd.nist.gov/vuln/detail/cve-2024-37891). + * Upgrade cryptography from 42.0.4 to 44.0.1 to address [CWE-1395](https://cwe.mitre.org/data/definitions/1395.html). + * Upgrade certifi from 2023.7.22 to 2024.7.4 to address [CVE-2024-39689](https://nvd.nist.gov/vuln/detail/cve-2024-39689). + * Upgrade jinja2 from 3.1.3 to 3.1.6 to address [CVE-2024-56201](https://nvd.nist.gov/vuln/detail/CVE-2024-56201) and [CVE-2024-56326](https://nvd.nist.gov/vuln/detail/CVE-2024-56326). + * Upgrade serverless_wsgi.py to version 3.0.5. + * Upgrade Werkzeug from 2.3.8 to version 3.0.6 to address [CVE-2024-34069](https://nvd.nist.gov/vuln/detail/CVE-2024-34069), [CVE-2024-49766](https://nvd.nist.gov/vuln/detail/CVE-2024-49766) and [CVE-2024-49767](https://nvd.nist.gov/vuln/detail/CVE-2024-49767). + * Upgrade Axios from 1.6.7 to version 1.8.2 to address [CVE-2024-39338](https://nvd.nist.gov/vuln/detail/CVE-2024-39338). + * Upgrade Next.js from 14.1.1 to version 14.2.25 to address [CVE-2024-51479](https://nvd.nist.gov/vuln/detail/CVE-2024-51479), [CVE-2024-46982](https://nvd.nist.gov/vuln/detail/CVE-2024-46982) and [CVE-2025-29927](https://nvd.nist.gov/vuln/detail/CVE-2025-29927). + * Upgrade idna from 3.4 to version 3.7 to address [CVE-2024-3651](https://nvd.nist.gov/vuln/detail/CVE-2024-3651). + * Upgrade nanoid from 3.3.7 to version 3.3.8 to address [CVE-2024-55565](https://nvd.nist.gov/vuln/detail/CVE-2024-55565). + * Upgrade python-jose from 3.3.0 to version 3.4.0 to address [CVE-2022-29217](https://nvd.nist.gov/vuln/detail/CVE-2022-29217). + +| April 16, 2025