SECURITY RELEASE ANNOUNCEMENT: AtoM 2.6.4 now available
Dan Gillean
Greetings AtoM community members,
We have a new security release available today for public download and installation.
AtoM 2.6.4 includes one issue fix (#13495), patching a cross-site scripting (XSS) vulnerability on the clipboard export page. This was missed in previous testing because it requires a specific order of clicks to activate. We would like to thank the IT team at the United Nations Archives and Records Management Section for reporting this issue to us, using our Security reporting guidelines. Further details have been included on the official 2.6.4 release page on the AtoM wiki.
This issue affects releases 2.4.x, 2.5.x, and 2.6.x. We recommend all users upgrade to version 2.6.4 as soon as possible. Visit the Downloads page to download the most recent release, and consult the 2.6 Upgrading and Installation guides in our documentation for further information.
For users who are unable to upgrade at this time (and for those who just finished upgrading to 2.6.3 and don’t want to run a whole new upgrade at this time), patches for 2.4, 2.5, and 2.6 have been made available that can be applied directly to a production installation, along with basic instructions for applying the patch, on the related issue ticket. See:
Our next major release, AtoM 2.7, is loosely slated for release in late Q3 of 2021. Some of the work that is guaranteed to be included in that release is described on the Roadmap page.
As always please let us know if you have any questions!
Cheers,