Release date: February 4, 2021
Download link: atom-2.6.2.tar.gz (18.7MB)
Database schema version: v184
Release 2.6.2 is a security patch release for the 2.6.0 AtoM release. It includes only one bug fix to address a recently discovered security vulnerability affecting AtoM 2.4, 2.5, and 2.6. Further disclosure details will be included here once the release is publicly available.
- #13470 - Clipboard toggle endpoint is vulnerable to SQL injection
Thanks to a security report from the United Nations Archives and Records Management Section and Carleton University Library, we have patched a SQL injection vulnerability caused by a non-parameterized query on the clipboard, an issue found in releases 2.4, 2.5, and 2.6. This is a blind SQL injection vulnerability, which fortunately reduces the range of exploits this might expose - but nevertheless should be taken seriously and addressed quickly.
This 2.6.2 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.2 as soon as possible. While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases, as well as 2.6.x, that can be applied locally if upgrading to 2.6.2 is not an option.
- AtoM 2.6.2 tarball direct download: atom-2.6.2.tar.gz
- AtoM Downloads page
- 2.6 installation and upgrading instructions
- 2.4, 2.5, and 2.6 patches and instructions on how to apply them: see issue #13470.
- General tips on using git to apply patches
For a full list of issues related to the 2.6.2 release, see the following link to our issue tracker: