docs: clarify how upgrades are evaluated

docs/docs-content/clusters/cluster-management/platform-settings/pause-platform-upgrades.md

@@ -8,11 +8,58 @@ tags: ["clusters", "cluster management"]
 ---
 
 Palette supports the **Pause Agent Upgrades** feature to exclude a cluster or a group of clusters from getting
-automatically upgraded when Palette is upgraded. The three ways to activate this feature are:
+automatically upgraded when Palette is upgraded.
 
-- Pause Upgrades for a Single Cluster
-- Pause Upgrades for all Clusters within Project Scope
-- Pause Upgrades for all Clusters within Tenant Scope
+## Pause Agent Upgrade Scopes
+
+Upgrades can be paused and resumed in the following scopes:
+
+- Pause upgrades for a single cluster
+- Pause upgrades for all clusters within a project
+- Pause upgrades for all clusters within a tenant
+
+When determining if the agent upgrades for one cluster is paused or not, you only need to look at the setting for the
+cluster itself. Even if agent upgrades are paused on a tenant or project level, agent upgrades for an individual cluster
+can still be turned on.
+
+Pausing or resuming agent upgrades at a higher-level scope will automatically pause or resume agent upgrades in the
+lower-level scopes. For example, if you pause agent upgrades at the tenant level, then agent upgrades will be paused for
+all projects within that tenant, and all clusters within those projects. Similarly, if you resume upgrades at the
+project level, then all clusters within that project will have their agent upgrades resumed.
+
+This is a one-time change that happens at the moment when you pause or resume upgrades in the higher scope, and it does
+not mandate that the same setting be kept at the lower scopes. If you pause or resume agent upgrades in a lower-level
+scope, it will override the setting from the higher-level scope. For example, even if all agent upgrades are paused at
+the tenant level, you can override the tenant-level pause by resuming upgrades in a specific project or a specific
+cluster. However, if you resume upgrades at the tenant level, and then pause again at the tenant level, it will pause
+agent upgrades for all clusters within the tenant, including clusters where you manually overrode the tenant-level
+settings and resumed agent upgrades.
+
+## Agent Upgrades for PCG and Edge Hosts
+
+Aside from clusters, you can also pause the agent upgrades on Private Cloud Gateways (PCG) and Edge hosts that are
+registered with Palette but are not part of a cluster.
+
+Since PCGs are scoped to tenants, you can pause the agent upgrades on a PCG by pausing agent upgrades on the tenant to
+which the PCG is associated. You can also pause or resume upgrades for a PCG in the PCG details page through **Cluster
+Settings**. Similar to clusters, pausing and resuming upgrades at the tenant level will pause or resume agent upgrades
+for all PCGs in the tenant. Pausing and resuming upgrades for a PCG individually will override the tenant-level setting.
+
+Edge hosts that are part of a cluster have their agent upgrades managed by the settings of their cluster. Edge hosts
+that are not part of a cluster have their agent upgrades managed at the project and tenant level. Similar to clusters,
+pausing or resuming agent upgrades at the tenant level will automatically pause or resume agent upgrades for all
+projects with in that tenant. However, you can override the tenant level setting by manually changing the upgrade
+setting at the project level.
+
+The following is a table showing the scopes at which you can pause agent upgrades for different objects. The same
+relationship between the scopes applies: Changing the setting in a higher scope will trigger a one-time change to the
+lower scopes, and changing the setting at the lower scope will override the setting in the higher scope.
+
+|                 | Individual Cluster/PCG | Project | Tenant |
+| --------------- | ---------------------- | ------- | ------ |
+| Cluster         | ✅                     | ✅      | ✅     |
+| PCG             | ✅                     |         | ✅     |
+| Idle Edge hosts |                        | ✅      | ✅     |
 
 ## Prerequisites
 
@@ -71,6 +118,24 @@ clusters within the project scope, or all within the tenant scope.
 
 </TabItem>
 
+<TabItem value="singlePcg" label="Single PCG" >
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant administrator.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Select **Private Cloud Gateways** from the **Tenant Settings Menu**
+
+4. Click on the PCG you want to pause or resume upgrades for.
+
+5. From the PCG details page, click **Settings** > **Cluster Settings**.
+
+6. Toggle the **Pause Agent Upgrades** button to pause upgrades for the PCG.
+
+7. A pop-up box will ask you to confirm the action. Click **OK**.
+
+</TabItem>
+
 </Tabs>
 
 ## Validate
@@ -93,6 +158,9 @@ clusters within the project scope, or all within the tenant scope.
 
 <TabItem value="projectScope" label="All Clusters - Project Scope">
 
+Pausing upgrades in a project also pauses agent upgrades for all Edge hosts in the project that are not part of a
+cluster.
+
 1. Log in to [Palette](https://console.spectrocloud.com).
 
 2. Navigate to the left **Main Menu** and click on **Project Settings**.
@@ -105,6 +173,9 @@ clusters within the project scope, or all within the tenant scope.
 
 <TabItem value="tenantScope" label="All Clusters - Tenant Scope">
 
+Pausing upgrades in a Tenant also pauses agent upgrades for all Edge hosts in the tenant that are not part of a cluster,
+as well as PCGs in the tenant.
+
 1. Log in to [Palette](https://console.spectrocloud.com).
 
 2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
@@ -115,4 +186,20 @@ clusters within the project scope, or all within the tenant scope.
 
 </TabItem>
 
+<TabItem value="singlePcg" label="Single PCG" >
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant administrator.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Select **Private Cloud Gateways** from the **Tenant Settings Menu**
+
+4. Click on the PCG you want to pause or resume upgrades for.
+
+5. From the PCG details page, click **Settings** > **Cluster Settings**.
+
+6. The **Pause Agent Upgrades** toggle button is checked.
+
+</TabItem>
+
 </Tabs>

docs/docs-content/security-bulletins/reports/cve-2011-4116.md

@@ -0,0 +1,33 @@
+---
+sidebar_label: "CVE-2011-4116"
+title: "CVE-2011-4116"
+description: "Lifecycle of CVE-2011-4116"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2011-4116](https://nvd.nist.gov/vuln/detail/CVE-2011-4116)
+
+## Last Update
+
+2/5/2020
+
+## NIST Summary
+
+\_is_safe in the File::Temp module for Perl does not properly handle symlinks.
+
+## CVE Severity
+
+7.5
+
+## Status
+
+Ongoing
+
+## Images
+
+- ghcr.io/k8snetworkplumbingwg/multus-cni:v4.0.2-thick

docs/docs-content/security-bulletins/reports/cve-2017-7245.md

@@ -0,0 +1,34 @@
+---
+sidebar_label: "CVE-2017-7245"
+title: "CVE-2017-7245"
+description: "Lifecycle of CVE-2017-7245"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2017-7245](https://nvd.nist.gov/vuln/detail/CVE-2017-7245)
+
+## Last Update
+
+8/17/2018
+
+## NIST Summary
+
+Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote
+attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.
+
+## CVE Severity
+
+7.8
+
+## Status
+
+Ongoing
+
+## Images
+
+- ghcr.io/k8snetworkplumbingwg/multus-cni:v4.0.2-thick

docs/docs-content/security-bulletins/reports/cve-2017-7246.md

@@ -0,0 +1,34 @@
+---
+sidebar_label: "CVE-2017-7246"
+title: "CVE-2017-7246"
+description: "Lifecycle of CVE-2017-7246"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2017-7246](https://nvd.nist.gov/vuln/detail/CVE-2017-7246)
+
+## Last Update
+
+8/17/2018
+
+## NIST Summary
+
+Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote
+attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.
+
+## CVE Severity
+
+7.8
+
+## Status
+
+Ongoing
+
+## Images
+
+- ghcr.io/k8snetworkplumbingwg/multus-cni:v4.0.2-thick

docs/docs-content/security-bulletins/reports/cve-2018-5709.md

@@ -0,0 +1,36 @@
+---
+sidebar_label: "CVE-2018-5709"
+title: "CVE-2018-5709"
+description: "Lifecycle of CVE-2018-5709"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2018-5709](https://nvd.nist.gov/vuln/detail/CVE-2018-5709)
+
+## Last Update
+
+11/7/2023
+
+## NIST Summary
+
+An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry-\>n_key_data" in
+kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which
+is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a
+Kerberos database dump file contains trusted data.
+
+## CVE Severity
+
+7.5
+
+## Status
+
+Ongoing
+
+## Images
+
+- ghcr.io/k8snetworkplumbingwg/multus-cni:v4.0.2-thick

docs/docs-content/security-bulletins/reports/cve-2018-6829.md

@@ -0,0 +1,36 @@
+---
+sidebar_label: "CVE-2018-6829"
+title: "CVE-2018-6829"
+description: "Lifecycle of CVE-2018-6829"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2018-6829](https://nvd.nist.gov/vuln/detail/CVE-2018-6829)
+
+## Last Update
+
+1/15/2020
+
+## NIST Summary
+
+cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts,
+which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic
+security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for
+Libgcrypt's ElGamal implementation.
+
+## CVE Severity
+
+7.5
+
+## Status
+
+Ongoing
+
+## Images
+
+- ghcr.io/k8snetworkplumbingwg/multus-cni:v4.0.2-thick

docs/docs-content/security-bulletins/reports/cve-2019-19882.md

@@ -0,0 +1,40 @@
+---
+sidebar_label: "CVE-2019-19882"
+title: "CVE-2019-19882"
+description: "Lifecycle of CVE-2019-19882"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2019-19882](https://nvd.nist.gov/vuln/detail/CVE-2019-19882)
+
+## Last Update
+
+8/25/2020
+
+## NIST Summary
+
+shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain
+root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using
+--with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable
+for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel,
+groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root
+in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed
+(i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version
+4.8).
+
+## CVE Severity
+
+7.8
+
+## Status
+
+Ongoing
+
+## Images
+
+- ghcr.io/k8snetworkplumbingwg/multus-cni:v4.0.2-thick

docs/docs-content/security-bulletins/reports/cve-2019-20838.md

@@ -0,0 +1,34 @@
+---
+sidebar_label: "CVE-2019-20838"
+title: "CVE-2019-20838"
+description: "Lifecycle of CVE-2019-20838"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2019-20838](https://nvd.nist.gov/vuln/detail/CVE-2019-20838)
+
+## Last Update
+
+3/27/2024
+
+## NIST Summary
+
+libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than
+one fixed quantifier, a related issue to CVE-2019-20454.
+
+## CVE Severity
+
+7.5
+
+## Status
+
+Ongoing
+
+## Images
+
+- ghcr.io/k8snetworkplumbingwg/multus-cni:v4.0.2-thick