Changelog note for GHSA-hfgr-h3vc-p6c2

jupyterhub · Nov 21, 2023 · d73244e · d73244e
1 parent 2b5bd22
commit d73244e
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/docs/source/changelog.md b/docs/source/changelog.md
@@ -12,8 +12,12 @@ command line for details.
 
 ([full changelog](https://github.com/jupyterhub/dockerspawner/compare/12.1.0...13.0.0))
 
+13.0 Fixes security vulnerability GHSA-hfgr-h3vc-p6c2, which allowed authenticated users to spawn arbitrary images
+unless `DockerSpawner.allowed_images` was specified.
+
 #### API and Breaking Changes
 
+- Add and require `DockerSpawner.allowed_images='*'` to allow any image to be spawned via `user_options`. (GHSA-hfgr-h3vc-p6c2)
 - Remove deprecated, broken hub_ip_connect [#499](https://github.com/jupyterhub/dockerspawner/pull/499) ([@minrk](https://github.com/minrk))
 - Require python 3.8+ and jupyterhub 2.3.1+ [#488](https://github.com/jupyterhub/dockerspawner/pull/488) ([@consideRatio](https://github.com/consideRatio), [@minrk](https://github.com/minrk))