Difference between revisions of "Releases/Release announcements/Release 2.6.4"
m (→Security patch: fix label typo) |
m (same as before) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
'''Release date''': April 15, 2021 | '''Release date''': April 15, 2021 | ||
| − | '''Download link''': [ | + | '''Download link''': [https://storage.accesstomemory.org/releases/atom-2.6.4.tar.gz atom-2.6.4.tar.gz] (17 MB) |
'''Database schema version''': v184 | '''Database schema version''': v184 | ||
| Line 14: | Line 14: | ||
==Security patch== | ==Security patch== | ||
| − | * # | + | * #13495 |
| − | + | Thanks to a [https://github.com/artefactual/atom/blob/qa/2.x/SECURITY.md security report] from the [https://archives.un.org/ United Nations Archives and Records Management Section], we have patched a cross-site scripting ([https://en.wikipedia.org/wiki/Cross-site_scripting XSS]) vulnerability found on the Clipboard export page. This was missed in previous testing because it requires a specific order of clicks to activate the vulnerability. A third-party security researcher reported this to UN ARMS, who then passed on the information to Artefactual. We have reproduced the issue, and confirmed that it also affects 2.4.x and 2.5.x releases as well as all previous 2.6.x releases. | |
| − | This 2.6.4 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.4 as soon as possible | + | This 2.6.4 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.4 as soon as possible. |
| + | |||
| + | While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases, as well as 2.6.x, that can be applied locally if upgrading to 2.6.4 is not an option. The patch and basic installation instructions can be found on the related issue ticket - see: | ||
| + | |||
| + | * https://projects.artefactual.com/issues/13495#note-2 | ||
'''Links''' | '''Links''' | ||
| − | * AtoM 2.6.4 tarball direct download: [ | + | * AtoM 2.6.4 tarball direct download: [https://storage.accesstomemory.org/releases/atom-2.6.4.tar.gz atom-2.6.4.tar.gz] |
* AtoM [https://www.accesstomemory.org/download/ Downloads] page | * AtoM [https://www.accesstomemory.org/download/ Downloads] page | ||
* 2.6 [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/linux/linux/ installation] and [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/upgrading/ upgrading] instructions | * 2.6 [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/linux/linux/ installation] and [https://www.accesstomemory.org/docs/2.6/admin-manual/installation/upgrading/ upgrading] instructions | ||
| − | * 2.4, 2.5, and 2.6 patches and instructions on how to apply them: [ | + | * 2.4, 2.5, and 2.6 patches and instructions on how to apply them: [https://projects.artefactual.com/issues/13495#note-2 here] |
* [https://gitbetter.substack.com/p/how-to-use-git-patch-effectively General tips on using git to apply patches] | * [https://gitbetter.substack.com/p/how-to-use-git-patch-effectively General tips on using git to apply patches] | ||
Latest revision as of 16:46, 15 April 2021
Main Page > Releases > Releases/Release announcements > Release 2.6.4
Release date: April 15, 2021
Download link: atom-2.6.4.tar.gz (17 MB)
Database schema version: v184
Release 2.6.4 is a security patch release for the 2.6.x AtoM releases. It includes one bug fix to address a recently discovered security vulnerability affecting AtoM 2.4, 2.5, and 2.6, and an unrelated internal code optimization. Further disclosure details will be included here once the release is publicly available.
Visit the Downloads page to download the most recent release, and consult the 2.6 Upgrading and Installation guides in our documentation for further information.
Security patch
- #13495
Thanks to a security report from the United Nations Archives and Records Management Section, we have patched a cross-site scripting (XSS) vulnerability found on the Clipboard export page. This was missed in previous testing because it requires a specific order of clicks to activate the vulnerability. A third-party security researcher reported this to UN ARMS, who then passed on the information to Artefactual. We have reproduced the issue, and confirmed that it also affects 2.4.x and 2.5.x releases as well as all previous 2.6.x releases.
This 2.6.4 release includes a fix that patches the vulnerability. We recommend that all users upgrade to 2.6.4 as soon as possible.
While we are not preparing full release tarballs for 2.5.x and 2.4.x, you will also find patches for these releases, as well as 2.6.x, that can be applied locally if upgrading to 2.6.4 is not an option. The patch and basic installation instructions can be found on the related issue ticket - see:
Links
- AtoM 2.6.4 tarball direct download: atom-2.6.4.tar.gz
- AtoM Downloads page
- 2.6 installation and upgrading instructions
- 2.4, 2.5, and 2.6 patches and instructions on how to apply them: here
- General tips on using git to apply patches
Seealso
For a full list of issues related to the 2.6.4 release, see the following link to our issue tracker: