Release date: October 30, 2019
Download link: atom-2.5.3.tar.gz
Release 2.5.3 is a security patch release for AtoM 2.5. We've also closed several bug tickets, including a regression in the permissions module that was affecting custom groups. You can view more details on each ticket in our issue tracker at the following links:
Thank you to community users Kenny Pierce, Cindy Shen, Jeremy Heil, and Chirag Prajapati for helping to bring this issue to our attention!
A regression discovered in releases 2.5 and 2.5.1 that exposes AtoM users to a potential cross-site scripting (XSS) vulnerability was addressed in Release 2.5.2 with patches that resolve the issue. However, since then, additional locations with the same issue have been reported.
This 2.5.3 release includes a global escaping strategy to fix the regression, rather than patching issues locally as they are discovered.
Related issue ticket: #13192 - Reconsider escaping strategy modification when Markdown support is enabled
We encourage all 2.5 users to upgrade as soon as possible. For those who are concerned about this issue but unable to upgrade at this time, disabling Markdown via Admin > Settings > Markdown will also circumvent the issue until upgrading is possible.
Alternatively, users could apply the following commit as a patch to a 2.5.2 installation to resolve the issue in their current installation:
You can add
.patch to the commit URL above to see it in raw form as a patch that can be applied to your instance. Here's one of many online tutorials on how to work with patches using git:
Additional security notice - PHP 7.2 vulnerability announced
Users may also wish to review the following announcement - thank you to community user Matthew Bruton for bringing this to our attention:
Artefactual has reviewed the report, and AtoM’s configuration does not meet the criteria for this being a security risk. Nevertheless, we recommend that PHP 7.2 users consider upgrading to PHP version 7.2.24 if possible.
Bug fixes and minor enhancements
Issue numbers associated with new features and bug fixes listed below refer to the AtoM project issue tracker. Artefactual uses the issue tracker to track bug reports, development tasks, feature requirements, quality assurance testing, and related development discussion. You can use the numbers to search for the related issue ticket in our Issue tracker - often the tickets will include more information on how the feature was implemented.
- #13169 - Editors and translators should be able to access the physical storage module
- #13190 - Digital object metadata area header disappears when Markdown is not enabled
- #13202 - Custom groups with Create and Publish permissions cannot access the Add menu or publish descriptions
For a full list of issues related to the 2.5.3 release, see the following links to our issue tracker: