Docs/1.37.0 part 2 (#407)

mefellows · web-flow · commit 67031c966e01 · 2025-07-11T22:21:06.000+10:00
* docs: update 1.37.0 release notes * docs: document advisory for CVE-2025-40909
diff --git a/website/docs/docs/on-premises-2x/security-audit-report.md b/website/docs/docs/on-premises-2x/security-audit-report.md
@@ -150,9 +150,9 @@ Up to and including 1.19.2.
 
 PactFlow uses a custom failure endpoint so the vulnerable code is never executed.
 
-### `libpam` related security vulnerabilities
+### `libpam` and `perl` related security vulnerabilities
 
-The following CVEs affect the `libpam` libraries included in the base operating system used by PactFlow’s Docker image (Ubuntu 24.04). These packages are marked as essential system dependencies, and removing them would break standard package management functionality (`apt`, `dpkg`) within the container.
+The following CVEs affect the `libpam` and `perl` libraries included in the base operating system used by PactFlow’s Docker image (Ubuntu 24.04). These packages are marked as essential system dependencies, and removing them would break standard package (`apt`, `dpkg`) and user management functionality within the container.
 
 We are shipping the image with these packages included, as they are required for basic system operation. PactFlow itself does **not** use the PAM libraries at runtime. If your internal security policies require their removal, see the mitigation guidance below.
 
@@ -200,6 +200,28 @@ _Version:_ 1.5.3-5
 
 As above — required only for essential base image functionality, and not invoked or referenced by PactFlow.
 
+#### CVE-2025-40909
+
+##### Affected Components
+
+- perl
+- perl-base
+- perl-modules-5.38
+- libperl5.38t64
+_Version:_ 5.38.2-3.2
+
+##### CVE
+
+[https://nvd.nist.gov/vuln/detail/CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2025-40909)
+
+##### Detectable in versions of PactFlow
+
+2.0.0 and later
+
+##### Notes
+
+As above — required only for essential base image functionality, and not invoked or referenced by PactFlow.
+
 ### Mitigation guidance
 
 If you must remove the `libpam*` packages for compliance reasons:
diff --git a/website/docs/docs/on-premises/releases/1.37.0.md b/website/docs/docs/on-premises/releases/1.37.0.md
@@ -28,7 +28,6 @@ title: 1.37.0
 
 - Improved support for URI-encoded paths in BDC for OpenAPI.
 - Stripped Byte Order Mark (BOM) from provider contracts if present.
-- Fixed issues in the integrations backend and BFF layer where query strings didn’t match any Pacticipant name.
 - Fixed an intermittent 401 error triggered by `auth_ext_script` custom extension.
 
 ## Pact Broker Updates
@@ -44,13 +43,11 @@ The following updates from the [Pact Broker](https://github.com/pact-foundation/
   [commit](https://github.com/pact-foundation/pact_broker/commit/42bf5203)
 - Added `deployed-environments` to `/participants/$name/versions`  
   [#801](https://github.com/pact-foundation/pact_broker/pull/801) | [commit](https://github.com/pact-foundation/pact_broker/commit/af66f6a3)
-- Added API to group provider states by consumer
+- Added `/pacts/provider/{provider}/provider-states` API to group provider states by consumer
   [#790](https://github.com/pact-foundation/pact_broker/pull/790) | [commit](https://github.com/pact-foundation/pact_broker/commit/e39860a9)
 
 ### Bug Fixes
 
-- Refactored the `long consumer_contract` method  
-  [commit](https://github.com/pact-foundation/pact_broker/commit/7d8af4d5)
 - Refactored integration queries to eliminate duplicate rows  
   [#806](https://github.com/pact-foundation/pact_broker/pull/806) | [commit](https://github.com/pact-foundation/pact_broker/commit/7bff0f0d)
 - De-duplicated non-unique provider states  
