Difference between revisions of "Releases/Release announcements/Release 2.6.4"

From AtoM wiki
m (Security patch: fix label typo)
m (same as before)
 
(2 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
'''Release date''': April 15, 2021
 
'''Release date''': April 15, 2021
  
'''Download link''': [http://storage.accesstomemory.org/releases/atom-2.6.4.tar.gz atom-2.6.4.tar.gz] ('''not active yet''')
+
'''Download link''': [https://storage.accesstomemory.org/releases/atom-2.6.4.tar.gz atom-2.6.4.tar.gz] (17 MB)
  
 
'''Database schema version''': v184
 
'''Database schema version''': v184
Line 14: Line 14:
 
==Security patch==
 
==Security patch==
  
* #xxxx (details coming soon)
+
* #13495
  
'''We will disclose further details about the security vulnerability after the release and patches are publicly available'''
+
Thanks to a [https://github.com/artefactual/atom/blob/qa/2.x/SECURITY.md security report] from the [https://archives.un.org/ United Nations Archives and Records Management Section], we have patched a cross-site scripting ([https://en.wikipedia.org/wiki/Cross-site_scripting XSS]) vulnerability found on the Clipboard export page. This was missed in previous testing because it requires a specific order of clicks to activate the vulnerability. A third-party security researcher reported this to UN ARMS, who then passed on the information to Artefactual. We have reproduced the issue, and confirmed that it also affects 2.4.x and 2.5.x releases as well as all previous 2.6.x releases.
  
This 2.6.4 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.4 as soon as possible, or else apply one of the available 2.6 patches. While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases that can be applied locally if upgrading to 2.6.4 is not an option.
+
This 2.6.4 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.4 as soon as possible.
 +
 
 +
While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases, as well as 2.6.x, that can be applied locally if upgrading to 2.6.4 is not an option. The patch and basic installation instructions can be found on the related issue ticket - see:
 +
 
 +
* https://projects.artefactual.com/issues/13495#note-2
  
 
'''Links'''
 
'''Links'''
  
* AtoM 2.6.4 tarball direct download:  [http://storage.accesstomemory.org/releases/atom-2.6.4.tar.gz atom-2.6.4.tar.gz]
+
* AtoM 2.6.4 tarball direct download:  [https://storage.accesstomemory.org/releases/atom-2.6.4.tar.gz atom-2.6.4.tar.gz]
 
* AtoM [https://www.accesstomemory.org/download/ Downloads] page
 
* AtoM [https://www.accesstomemory.org/download/ Downloads] page
 
* 2.6 [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/linux/linux/ installation] and [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/upgrading/ upgrading] instructions
 
* 2.6 [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/linux/linux/ installation] and [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/upgrading/ upgrading] instructions
* 2.4, 2.5, and 2.6 patches and instructions on how to apply them: [coming soon]
+
* 2.4, 2.5, and 2.6 patches and instructions on how to apply them: [https://projects.artefactual.com/issues/13495#note-2 here]
 
* [https://gitbetter.substack.com/p/how-to-use-git-patch-effectively General tips on using git to apply patches]
 
* [https://gitbetter.substack.com/p/how-to-use-git-patch-effectively General tips on using git to apply patches]
  

Latest revision as of 15:46, 15 April 2021

Main Page > Releases > Releases/Release announcements > Release 2.6.4

Release date: April 15, 2021

Download link: atom-2.6.4.tar.gz (17 MB)

Database schema version: v184

Release 2.6.4 is a security patch release for the 2.6.x AtoM releases. It includes one bug fix to address a recently discovered security vulnerability affecting AtoM 2.4, 2.5, and 2.6, and an unrelated internal code optimization. Further disclosure details will be included here once the release is publicly available.

Visit the Downloads page to download the most recent release, and consult the 2.6 Upgrading and Installation guides in our documentation for further information.

Security patch

  • #13495

Thanks to a security report from the United Nations Archives and Records Management Section, we have patched a cross-site scripting (XSS) vulnerability found on the Clipboard export page. This was missed in previous testing because it requires a specific order of clicks to activate the vulnerability. A third-party security researcher reported this to UN ARMS, who then passed on the information to Artefactual. We have reproduced the issue, and confirmed that it also affects 2.4.x and 2.5.x releases as well as all previous 2.6.x releases.

This 2.6.4 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.4 as soon as possible.

While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases, as well as 2.6.x, that can be applied locally if upgrading to 2.6.4 is not an option. The patch and basic installation instructions can be found on the related issue ticket - see:

Links

Seealso

For a full list of issues related to the 2.6.4 release, see the following link to our issue tracker: