Release date: April 15, 2021
Download link: atom-2.6.4.tar.gz (17 MB)
Database schema version: v184
Release 2.6.4 is a security patch release for the 2.6.x AtoM releases. It includes one bug fix to address a recently discovered security vulnerability affecting AtoM 2.4, 2.5, and 2.6, and an unrelated internal code optimization. Further disclosure details will be included here once the release is publicly available.
Thanks to a security report from the United Nations Archives and Records Management Section, we have patched a cross-site scripting (XSS) vulnerability found on the Clipboard export page. This was missed in previous testing because it requires a specific order of clicks to activate the vulnerability. A third-party security researcher reported this to UN ARMS, who then passed on the information to Artefactual. We have reproduced the issue, and confirmed that it also affects 2.4.x and 2.5.x releases as well as all previous 2.6.x releases.
This 2.6.4 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.4 as soon as possible.
While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases, as well as 2.6.x, that can be applied locally if upgrading to 2.6.4 is not an option. The patch and basic installation instructions can be found on the related issue ticket - see:
- AtoM 2.6.4 tarball direct download: atom-2.6.4.tar.gz
- AtoM Downloads page
- 2.6 installation and upgrading instructions
- 2.4, 2.5, and 2.6 patches and instructions on how to apply them: here
- General tips on using git to apply patches
For a full list of issues related to the 2.6.4 release, see the following link to our issue tracker: