AWS res high security documentation change
Summary
Added release notes for March 2026, including security fixes for privilege escalation, remote code execution, and instance profile ARN issue; along with enhancements and bug fixes.
Security assessment
The release notes explicitly document the fix of three security vulnerabilities: privilege escalation in FileBrowser, cross-user remote code execution via session name injection, and an issue with external instance profile ARN usage.
Diff
diff --git a/res/archive/release-minus-1/ug/revisions.md b/res/archive/release-minus-1/ug/revisions.md index 1cc5f4b8a..2ada04a5b 100644 --- a//res/archive/release-minus-1/ug/revisions.md +++ b//res/archive/release-minus-1/ug/revisions.md @@ -12,0 +13,27 @@ Date | Change +March 2026 | + + * Release version 2026.03 Security fixes + * Fixed a privilege escalation vulnerability in the FileBrowser component. + * Fixed a cross-user remote code execution vulnerability via session name injection. + * Fixed an issue where an external instance profile ARN could be used when creating a session. +Enhancements + * Support for multiple volumes from a single ONTAP filesystem. + * Allow users to reset their session schedule to the system default. + * Allow administrators to restart errored VDIs from the Sessions page. + * Allow administrators to set instance type/family when registering a software stack. + * Allow administrators to configure DCV token expiration time via the RES portal. + * Allow administrators to add custom links to the web portal login page. + * Added configurable DCV session validation thresholds to support environments with longer bootstrap times. +Changes + * Continued migration of VDC-related APIs from the VDC EC2 host to the backend Lambda. + * Upgraded Python to 3.12+ on infrastructure and VDI hosts. + * Removed AL2 and RHEL8 from default software stacks. Existing AL2 and RHEL8 software stacks in deployed environments are unaffected but will no longer be included as defaults for new environments. + * Removed unnecessary RES_Interface shortcut from VDI desktops. +Bug fixes + * Fixed Sessions filter field. + * Fixed Ubuntu 24.04 bootstrap failure caused by systemd service restart. + * Fixed project deletion/creation when deploying with IAM resource prefix. + * Fixed failure to mount Lustre file system on RHEL9/Rocky9 VDIs. + * Fixed date range filter for list_sessions and list_shared_permissions. + + @@ -127 +154 @@ October 2024 | - * [Virtual desktop interface autostop](./virtual-desktops-autostop.html). + * [Virtual desktop infrastructure autostop](./virtual-desktops-autostop.html). @@ -159,2 +185,0 @@ Notices -Archive -