Difference between revisions of "Releases/Release announcements/Release 2.6.2"
m (Add size of tarball) |
m (→Security patch) |
||
(One intermediate revision by the same user not shown) | |||
Line 4: | Line 4: | ||
'''Release date''': February 4, 2021 | '''Release date''': February 4, 2021 | ||
− | '''Download link''': [http://storage.accesstomemory.org/releases/atom-2.6.2.tar.gz atom-2.6.2.tar.gz] (18.7MB) | + | '''Download link''': [http://storage.accesstomemory.org/releases/atom-2.6.2.tar.gz atom-2.6.2.tar.gz] (18.7MB) |
'''Database schema version''': v184 | '''Database schema version''': v184 | ||
Line 14: | Line 14: | ||
==Security patch== | ==Security patch== | ||
− | * #13470 | + | * #13470 - Clipboard toggle endpoint is vulnerable to SQL injection |
− | + | Thanks to a [https://github.com/artefactual/atom/blob/qa/2.x/SECURITY.md security report] from the [https://archives.un.org/ United Nations Archives and Records Management Section] and [https://asc.library.carleton.ca/ Carleton University Library], we have patched a [https://portswigger.net/web-security/sql-injection SQL injection] vulnerability caused by a non-parameterized query on the clipboard, an issue found in releases 2.4, 2.5, and 2.6. This is a [https://portswigger.net/web-security/sql-injection/blind blind SQL injection] vulnerability, which fortunately reduces the range of exploits this might expose - but nevertheless should be taken seriously and addressed quickly. | |
+ | |||
+ | This 2.6.2 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.2 as soon as possible. While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases, as well as 2.6.x, that can be applied locally if upgrading to 2.6.2 is not an option. | ||
+ | |||
+ | '''Links''' | ||
+ | |||
+ | * AtoM 2.6.2 tarball direct download: [http://storage.accesstomemory.org/releases/atom-2.6.2.tar.gz atom-2.6.2.tar.gz] | ||
+ | * AtoM [https://www.accesstomemory.org/download/ Downloads] page | ||
+ | * 2.6 [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/linux/linux/ installation] and [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/upgrading/ upgrading] instructions | ||
+ | * 2.4, 2.5, and 2.6 patches and instructions on how to apply them: see issue #[https://projects.artefactual.com/issues/13470 13470]. | ||
+ | * [https://gitbetter.substack.com/p/how-to-use-git-patch-effectively General tips on using git to apply patches] | ||
<admonition type="seealso"> | <admonition type="seealso"> | ||
Line 22: | Line 32: | ||
* [https://projects.artefactual.com/versions/133 Release 2.6.2 Roadmap / Overview] | * [https://projects.artefactual.com/versions/133 Release 2.6.2 Roadmap / Overview] | ||
− | * #13470 | + | * #[https://projects.artefactual.com/issues/13470 13470] |
</admonition> | </admonition> | ||
Latest revision as of 14:54, 4 February 2021
Main Page > Releases > Releases/Release announcements > Release 2.6.2
Release date: February 4, 2021
Download link: atom-2.6.2.tar.gz (18.7MB)
Database schema version: v184
Release 2.6.2 is a security patch release for the 2.6.0 AtoM release. It includes only one bug fix to address a recently discovered security vulnerability affecting AtoM 2.4, 2.5, and 2.6. Further disclosure details will be included here once the release is publicly available.
Visit the Downloads page to download the most recent release, and consult the 2.6 Upgrading and Installation guides in our documentation for further information.
Security patch
- #13470 - Clipboard toggle endpoint is vulnerable to SQL injection
Thanks to a security report from the United Nations Archives and Records Management Section and Carleton University Library, we have patched a SQL injection vulnerability caused by a non-parameterized query on the clipboard, an issue found in releases 2.4, 2.5, and 2.6. This is a blind SQL injection vulnerability, which fortunately reduces the range of exploits this might expose - but nevertheless should be taken seriously and addressed quickly.
This 2.6.2 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.2 as soon as possible. While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases, as well as 2.6.x, that can be applied locally if upgrading to 2.6.2 is not an option.
Links
- AtoM 2.6.2 tarball direct download: atom-2.6.2.tar.gz
- AtoM Downloads page
- 2.6 installation and upgrading instructions
- 2.4, 2.5, and 2.6 patches and instructions on how to apply them: see issue #13470.
- General tips on using git to apply patches
Seealso
For a full list of issues related to the 2.6.2 release, see the following link to our issue tracker: