AWS Security ChangesHomeSearch

AWS res high security documentation change

Service: res · 2026-06-22 · Security-related high

File: res/archive/release-minus-1/ug/revisions.md

Summary

Added release notes for March 2026, including security fixes for privilege escalation, remote code execution, and instance profile ARN issue; along with enhancements and bug fixes.

Security assessment

The release notes explicitly document the fix of three security vulnerabilities: privilege escalation in FileBrowser, cross-user remote code execution via session name injection, and an issue with external instance profile ARN usage.

Diff

diff --git a/res/archive/release-minus-1/ug/revisions.md b/res/archive/release-minus-1/ug/revisions.md
index 1cc5f4b8a..2ada04a5b 100644
--- a//res/archive/release-minus-1/ug/revisions.md
+++ b//res/archive/release-minus-1/ug/revisions.md
@@ -12,0 +13,27 @@ Date | Change
+March 2026 | 
+
+  * Release version 2026.03 Security fixes
+    * Fixed a privilege escalation vulnerability in the FileBrowser component.
+    * Fixed a cross-user remote code execution vulnerability via session name injection.
+    * Fixed an issue where an external instance profile ARN could be used when creating a session.
+Enhancements
+    * Support for multiple volumes from a single ONTAP filesystem.
+    * Allow users to reset their session schedule to the system default.
+    * Allow administrators to restart errored VDIs from the Sessions page.
+    * Allow administrators to set instance type/family when registering a software stack.
+    * Allow administrators to configure DCV token expiration time via the RES portal.
+    * Allow administrators to add custom links to the web portal login page.
+    * Added configurable DCV session validation thresholds to support environments with longer bootstrap times.
+Changes
+    * Continued migration of VDC-related APIs from the VDC EC2 host to the backend Lambda.
+    * Upgraded Python to 3.12+ on infrastructure and VDI hosts.
+    * Removed AL2 and RHEL8 from default software stacks. Existing AL2 and RHEL8 software stacks in deployed environments are unaffected but will no longer be included as defaults for new environments.
+    * Removed unnecessary RES_Interface shortcut from VDI desktops.
+Bug fixes
+    * Fixed Sessions filter field.
+    * Fixed Ubuntu 24.04 bootstrap failure caused by systemd service restart.
+    * Fixed project deletion/creation when deploying with IAM resource prefix.
+    * Fixed failure to mount Lustre file system on RHEL9/Rocky9 VDIs.
+    * Fixed date range filter for list_sessions and list_shared_permissions.
+
+  
@@ -127 +154 @@ October 2024 |
-    * [Virtual desktop interface autostop](./virtual-desktops-autostop.html).
+    * [Virtual desktop infrastructure autostop](./virtual-desktops-autostop.html).
@@ -159,2 +185,0 @@ Notices
-Archive
-