Difference between revisions of "Releases/Release announcements/Release 2.6.2"

From AtoM wiki
(Add initial release page details)
 
m (Security patch)
 
(2 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
'''Release date''': February 4, 2021
 
'''Release date''': February 4, 2021
  
'''Download link''': [http://storage.accesstomemory.org/releases/atom-2.6.2.tar.gz atom-2.6.2.tar.gz] '''(LINK NOT YET ACTIVE)'''
+
'''Download link''': [http://storage.accesstomemory.org/releases/atom-2.6.2.tar.gz atom-2.6.2.tar.gz] (18.7MB)
  
 
'''Database schema version''': v184
 
'''Database schema version''': v184
Line 14: Line 14:
 
==Security patch==
 
==Security patch==
  
* #13470
+
* #13470 - Clipboard toggle endpoint is vulnerable to SQL injection
  
Further details will be included once the release becomes publicly available. Patches will be provided for 2.4 and 2.5 installations.
+
Thanks to a [https://github.com/artefactual/atom/blob/qa/2.x/SECURITY.md security report] from the [https://archives.un.org/ United Nations Archives and Records Management Section] and [https://asc.library.carleton.ca/ Carleton University Library], we have patched a [https://portswigger.net/web-security/sql-injection SQL injection] vulnerability caused by a non-parameterized query on the clipboard, an issue found in releases 2.4, 2.5, and 2.6. This is a [https://portswigger.net/web-security/sql-injection/blind blind SQL injection] vulnerability, which fortunately reduces the range of exploits this might expose - but nevertheless should be taken seriously and addressed quickly.
 +
 
 +
This 2.6.2 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.2 as soon as possible. While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases, as well as 2.6.x, that can be applied locally if upgrading to 2.6.2 is not an option.
 +
 
 +
'''Links'''
 +
 
 +
* AtoM 2.6.2 tarball direct download:  [http://storage.accesstomemory.org/releases/atom-2.6.2.tar.gz atom-2.6.2.tar.gz]
 +
* AtoM [https://www.accesstomemory.org/download/ Downloads] page
 +
* 2.6 [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/linux/linux/ installation] and [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/upgrading/ upgrading] instructions
 +
* 2.4, 2.5, and 2.6 patches and instructions on how to apply them: see issue #[https://projects.artefactual.com/issues/13470 13470].
 +
* [https://gitbetter.substack.com/p/how-to-use-git-patch-effectively General tips on using git to apply patches]
  
 
<admonition type="seealso">
 
<admonition type="seealso">
Line 22: Line 32:
  
 
* [https://projects.artefactual.com/versions/133 Release 2.6.2 Roadmap / Overview]
 
* [https://projects.artefactual.com/versions/133 Release 2.6.2 Roadmap / Overview]
* #13470
+
* #[https://projects.artefactual.com/issues/13470 13470]
 
</admonition>
 
</admonition>
  

Latest revision as of 15:54, 4 February 2021

Main Page > Releases > Releases/Release announcements > Release 2.6.2

Release date: February 4, 2021

Download link: atom-2.6.2.tar.gz (18.7MB)

Database schema version: v184

Release 2.6.2 is a security patch release for the 2.6.0 AtoM release. It includes only one bug fix to address a recently discovered security vulnerability affecting AtoM 2.4, 2.5, and 2.6. Further disclosure details will be included here once the release is publicly available.

Visit the Downloads page to download the most recent release, and consult the 2.6 Upgrading and Installation guides in our documentation for further information.

Security patch

  • #13470 - Clipboard toggle endpoint is vulnerable to SQL injection

Thanks to a security report from the United Nations Archives and Records Management Section and Carleton University Library, we have patched a SQL injection vulnerability caused by a non-parameterized query on the clipboard, an issue found in releases 2.4, 2.5, and 2.6. This is a blind SQL injection vulnerability, which fortunately reduces the range of exploits this might expose - but nevertheless should be taken seriously and addressed quickly.

This 2.6.2 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.2 as soon as possible. While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases, as well as 2.6.x, that can be applied locally if upgrading to 2.6.2 is not an option.

Links

Seealso

For a full list of issues related to the 2.6.2 release, see the following link to our issue tracker: