[2.7] Update 2.7.2 release notes with CWE IDs for security fixes [skip ci]

[chesterxgchen]

Summary

Updates the FLARE 2.7.2 release notes to add CWE identifiers for two security fixes that were previously undocumented or missing classification.

Changes

File: docs/release_notes/flare_272.rst

CWE-502 — Deserialization of Untrusted Data (PR #4294 / #4295, CVSS 8.8 High)

Added an explicit security entry for the FOBS RCE fix. The previous release notes only mentioned "Improved error handling in FOBS serialization" which did not reflect the severity or nature of the vulnerability. The fix introduced a BUILTIN_TYPES allowlist to validate type_name before passing it to load_class(), blocking authenticated participants from achieving RCE on the aggregation server.

CWE-22 — Path Traversal (PR #4230, cherry-pick of #4229)

Updated the existing FileRetriever entry to include the CWE-22 identifier and clarify the attack vector (../ traversal escaping the allowed directory).

Why

Downstream users, security scanners, and compliance teams rely on CWE IDs to correlate release notes with standard vulnerability classifications. Without these IDs the fixes are effectively invisible to automated tooling.

Types of Changes

• Non-breaking change (documentation only)

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

Updates the FLARE 2.7.2 release notes to add standard CWE identifiers and severity details for two security fixes that were previously documented without vulnerability classification.

• Adds a new CWE-502 (CVSS 8.8) entry for the FOBS deserialization RCE fix (PR [2.7] Fix FOBS deserialization RCE via type_name whitelist (NVBug #5968367) #4294/[2.7] Added fix for RCE bug caused by not validating type_name #4295), replacing the vague "improved error handling" phrasing with a clear description of the vulnerability and the BUILTIN_TYPES allowlist mitigation
• Updates the existing FileRetriever path traversal entry with a CWE-22 identifier and clarifies the ../ traversal attack vector (PR [2.7]: Fix a security issue on FileRetriever #4230)
• Both descriptions were verified against the actual code changes and accurately reflect the implemented fixes

Confidence Score: 5/5

• This PR is safe to merge — it only modifies release notes documentation with no code changes.
• Documentation-only change to an RST release notes file. The security descriptions were verified against the actual codebase and accurately reflect the implemented fixes. No code logic, configuration, or build changes are involved.
• No files require special attention.

Important Files Changed

Filename	Overview
docs/release_notes/flare_272.rst	Adds CWE-502 (FOBS RCE) and CWE-22 (FileRetriever path traversal) security identifiers to bug fix entries. Both entries accurately describe the vulnerabilities and fixes verified against the codebase.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["Release Notes Update"] --> B["CWE-502: FOBS RCE Fix"]
    A --> C["CWE-22: FileRetriever Path Traversal Fix"]
    B --> D["PR #4294/#4295"]
    D --> E["Added BUILTIN_TYPES allowlist"]
    D --> F["Validates type_name before load_class"]
    D --> G["Public API: add_type_name_whitelist"]
    C --> H["PR #4230 cherry-pick of #4229"]
    H --> I["Path.resolve boundary checks"]
    H --> J["Prevents ../ directory escape"]

Loading

_{Last reviewed commit: 74e633b}

[chesterxgchen]

/build