Difference between revisions of "Releases/Release announcements/Release 2.5.3"

From AtoM wiki
m (Security patch: minor formatting fixes)
(Additional security notice - PHP 7.2 vulnerability announced)
Line 40: Line 40:
 
===Additional security notice - PHP 7.2 vulnerability announced===
 
===Additional security notice - PHP 7.2 vulnerability announced===
  
Users may also wish to review the following announcement - thank you to Matthew Bruton for bringing this to our attention:
+
Users may also wish to review the following announcement - thank you to community user Matthew Bruton for bringing this to our attention:
  
 
* https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html
 
* https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html

Revision as of 13:30, 30 October 2019

Main Page > Releases > Releases/Release announcements > Release 2.5.3

Release date: October 30, 2019

Download link: atom-2.5.3.tar.gz

Release 2.5.3 is a security patch release for AtoM 2.5. We've also closed several bug tickets, including a regression in the permissions module that was affecting custom groups. You can view more details on each ticket in our issue tracker at the following links:

Visit the Downloads page to download the most recent release, and consult the 2.5 Upgrading and Installation guides in our documentation for further information.

Security patch

Note

Thank you to community users Kenny Pierce, Cindy Shen, and Jeremy Heil for helping to bring this issue to our attention!

A regression discovered in releases 2.5 and 2.5.1 that exposes AtoM users to a potential cross-site scripting (XSS) vulnerability was addressed in Release 2.5.2 with patches that resolve the issue. However, since then, additional locations with the same issue have been reported.

This 2.5.3 release includes a global escaping strategy to fix the regression, rather than patching issues locally as they are discovered.

Related issue ticket: #13192 - Reconsider escaping strategy modification when Markdown support is enabled

We encourage all 2.5 users to upgrade as soon as possible. For those who are concerned about this issue but unable to upgrade at this time, disabling Markdown via Admin > Settings > Markdown will also circumvent the issue until upgrading is possible.

Alternatively, users could apply the following commit as a patch to a 2.5.2 installation to resolve the issue in their current installation:

Tip

You can add .patch to the commit URL above to see it in raw form as a patch that can be applied to your instance. Here's one of many online tutorials on how to work with patches using git:

Additional security notice - PHP 7.2 vulnerability announced

Users may also wish to review the following announcement - thank you to community user Matthew Bruton for bringing this to our attention:

Artefactual has reviewed the report, and AtoM’s configuration does not meet the criteria for this being a security risk. Nevertheless, we recommend that PHP 7.2 users consider upgrading to PHP version 7.2.24 if possible.

Bug fixes and minor enhancements

Tip

Issue numbers associated with new features and bug fixes listed below refer to the AtoM project issue tracker. Artefactual uses the issue tracker to track bug reports, development tasks, feature requirements, quality assurance testing, and related development discussion. You can use the numbers to search for the related issue ticket in our Issue tracker - often the tickets will include more information on how the feature was implemented.

  • #13169 - Editors and translators should be able to access the physical storage module
  • #13190 - Digital object metadata area header disappears when Markdown is not enabled
  • #13202 - Custom groups with Create and Publish permissions cannot access the Add menu or publish descriptions

Seealso

For a full list of issues related to the 2.5.3 release, see the following links to our issue tracker: