HEADS UP! UPCOMING AtoM 2.6.4 SECURITY RELEASE

95 views
Skip to first unread message

Dan Gillean

unread,
Apr 8, 2021, 4:00:17 PM4/8/21
to ICA-AtoM Users

Greetings AtoM community, 


Thanks to a security vulnerability report delivered from our community via our Security reporting address (learn more about our Security reporting policy for AtoM here), we are preparing a 2.6.4 security release, which we intend to make available next week, on Thursday, April 15th, 2021. At that time, we will also share more information about the nature of the vulnerability. 


The issue reported also affects earlier 2.4 and 2.5 releases. Additionally, we’re aware that many of you may have just upgraded to 2.6.3. To provide the widest possible coverage, as well as give recently upgraded users a way to avoid a fresh install, we will also be making patches available for 2.4, 2.5, and 2.6 releases that can be applied in-place without upgrading. Note that these patches will not increment the release version number in Admin > Settings, but will patch the security vulnerability. 


Thank you in advance for your patience and understanding! Extra big thank you to our community for continuing to report these kinds of issues to us, so we can fix them and make AtoM as secure as possible. 


Stay tuned for a release announcement next Thursday!


For more information, you can check out:



Thanks,


Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056
@accesstomemory
he / him

Steve Lapommeray

unread,
Apr 14, 2021, 2:57:12 PM4/14/21
to AtoM Users
Hello,

If I'm upgrading from v2.6.x to 2.6.4, do I need to run the upgrade task?

Thanks,
Steve

Dan Gillean

unread,
Apr 15, 2021, 10:03:26 AM4/15/21
to ICA-AtoM Users
Hi Steve, 

With a minor release upgrade, it's typically not necessary, since we try to avoid including database schema changes in minor releases - but in general it's a good idea to run the task as part of any upgrade, just in case. This is especially true if you are using our downloadable tarballs for your installation process. If you have followed option 2 in our installation instructions (installing from our GitHub code repository), then for minor releases, you can generally just do a pull --rebase to get the latest changes, restart services, rebuild the search index, and be good to go. 

With major releases (e.g. 2.5.x to 2.6.x) you will definitely always want to run the upgrade task, regardless of installation method. Additionally, major releases are where we tend to upgrade underlying dependencies (such as Elasticsearch, PHP, MySQL, and even the Ubuntu version) so you would not want to try upgrading in place for a major release upgrade, as you may need to reinstall some of the dependencies. 

For this upcoming 2.6.4 release, we will also have patches available. These can be applied in place to address the reported vulnerability without any need to upgrade. The release number in Admin > Settings will not change (it will still say 2.6.3 if you apply the patch) with this method, but the core issue will be addressed. 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056
@accesstomemory
he / him

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/6148e21a-9cf4-4fca-8c85-4775fb7fa2f7n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages