In the Web Client 11 Update 4 Changes it lists the following:
Where do I find the details for 366043, 384419, 334311, 357525
I'm not sure if it's official policy, but I think the documents are being intentionally vague about exactly what security updates are included. Three of those changes relate to updating the version of a library that we use, due to known vulnerabilities in those libraries. In our assessment, we determined that we use the libraries in such a way that the product is not vulnerable (e.g. by not using the affected feature of the library, or by not having any of the inputs be influenced by the user). Our users often run SCA (Software Composition Analysis) tools and do ask us about known vulnerabilities they uncover. In general it's preferable to remove the vulnerability rather than having to explain why it's not a concern. If the vulnerabilities were exploitable in some way, we would make a bigger deal about encouraging users to upgrade.
The fourth change relates to encrypting some data that was previously unencrypted. This is more of a defense-in-depth change - best practice would be that data on the server is already secured from ordinary users, and it raises the difficulty level for a machine administrator to access the data.
Hi Bill,
The numbers are references to items our internal bug/feature tracking system. External parties do not have access to this system. We provide them in part to make it easier for Support to check if a specific bug or feature has been addressed in an update. When you see vague descriptions like the one you referenced, it usually means:
Cheers,
Sam