Release date: August 28, 2019
Download link: atom-2.5.2.tar.gz
Release 2.5.2 is a security patch release for AtoM 2.5. We've also closed a number of bug tickets in order to address issues that arose with the 2.5 release - you can view more details on each ticket in our issue tracker at the following links:
Thank you to community users Thomas Misilo, Kenny Pierce, and Augusto Torres for helping to bring this issue to our attention!
A regression has been discovered in releases 2.5 and 2.5.1 that exposes AtoM users to a potential cross-site scripting (XSS) vulnerability. This release includes patches that resolve the issue. We encourage all 2.5 users to upgrade as soon as possible.
The regression was introduced with the addition of full Markdown support (issue #12148) in the 2.5 release. We have addressed the issue in this release with the following 2 commits, which a developer could potentially apply as a patch to an earlier 2.5.x release in lieu of upgrading:
For those who are concerned about this issue but unable to upgrade at this time, disabling Markdown via Admin > Settings > Markdown will also circumvent the issue until upgrading is possible.
Related issue ticket: #13125 - XSS vulnerability in 2.5.x
New Security Policy
The security issue above was discovered thanks to hepful input from our AtoM community - thank you!
In order to provide consistent reporting and disclosure practices in the future, the AtoM project has developed a new Security Policy, which can be found in the AtoM code repository:
The short version of the policy:
- If you discover what you think is a security vulnerability in AtoM, please email us at email@example.com
- Please do not post about the issue in our public forum or file a public issue in our GitHub repository - this may announce the vulnerability to malicious actors before we have had a chance to review the issue and prepare a fix
- We will disclose any security vulnerabilities after we have evaluated them and, if needed, prepared a patch to solve the issue. We will make this patch available for the development branch and the most recent stable release
- Depending on the severity of the issue we may also provide a patch for older stable releases
- The full policy can be reviewed here
Related issue: #13139 - Add new security policy to the AtoM repo
Updated job scheduler configuration
AtoM relies on a job scheduler called Gearman in order to execute certain long-running tasks asynchronously to guarantee that web requests are handled promptly and work loads can be distributed across multiple machines. Examples include imports via the user interface, finding aid and report generation, rights inheritance, date calculation, Archivematica DIP uploads, and more. You can read more about the installation process in our documentation here.
As AtoM shifts to using the job scheduler in more areas of the application, we have seen an increase of posts in the user forum of users reporting 500 errors due to the atom-worker requiring a restart. After some research, user input via the forum, and internal testing, we have revised the config file for the atom-worker service in systemd (for Ubuntu 16.04 and 18.04 installations), which should resolve the majority of these issues, and prevent the atom-worker from dying as often as previously.
You can find the updated configuration block in our documentation here:
As part of your upgrade, we recommend that you review the service configuration (located at
/usr/lib/systemd/system/atom-worker.service) and update the atom-worker configuration as well!
Related issue: #13109 - AtoM worker service is unstable in systemd
Bug fixes and minor enhancements
Issue numbers associated with new features and bug fixes listed below refer to the AtoM project issue tracker. Artefactual uses the issue tracker to track bug reports, development tasks, feature requirements, quality assurance testing, and related development discussion. You can use the numbers to search for the related issue ticket in our Issue tracker - often the tickets will include more information on how the feature was implemented.
- #12782 - AtoM returns 200 HTTP status instead of 403 when bots and curl requests attempt to access restricted pages
- #12830 - Docker: qtSwordPluginWorker ability never gets added to the worker
- #13067 - Archivematica: DC metadata not imported into AtoM when DIP created from transfer in backlog
- #13068 - Archivematica: AtoM not creating information object for re-ingested AIPs with updated metadata
- #13070 - Copyright pop-up HTML content not rendering
- #13106 - Markdown not working on edit theme page of repository records
- #13108 - Job scheduler can't find worker after site title changes
- #13113 - User menu breaks when there are no login, logout, or myProfile menu options
- #13117 - Notify users of the need to restart the AtoM worker when the qtSwordPlugin is enabled/disabled via the user interface
- #13119 - Upgrade Docker image and Docker Compose env to work with latest dependencies
- #13124 - Full-width treeview paging button not shown for public users
- #13131 - description and actor browse pages broken when markdown is disabled and more than one filter applied
- #13137 - User interface layout broken by long site titles or large logos
- #13139 - Add a security reporting policy to the AtoM code repository
- #13143 - REST API returns 200 status in error responses
- #13144 - Creating a digital object without a path raises an error
- #13145 - Digital object metadata is not visible when Markdown is disabled
- #13155 - Update the AtoM repo README file with more information and links
For a full list of issues related to the 2.5.2 release, see the following links to our issue tracker: