SECURITY RELEASE ANNOUNCEMENT: AtoM 2.6.2 now available

[Dan Gillean]

Greetings AtoM community members,

We have a new security release available today for public download and installation. 

AtoM 2.6.2 includes just one issue fix (#13470), patching a blind SQL injection vulnerability on the clipboard. We would like to thank the United Nations Archives and Records Management Section and the Carleton University Library for reporting this issue to us, using our Security reporting guidelines. Further details have been included on the official 2.6.2 release page on the AtoM wiki. 

This issue affects releases 2.4.x, 2.5.x, and 2.6.x. We recommend all users upgrade to version 2.6.2 as soon as possible. Visit the Downloads page to download the most recent release, and consult the 2.6 Upgrading and Installation guides in our documentation for further information.

For users who are unable to upgrade at this time, patches for 2.4, 2.5, and 2.6 have been made available that can be applied directly to a production installation, along with basic instructions for applying the patch, on the related issue ticket. See:

• https://projects.artefactual.com/issues/13470 

Our next AtoM release will be 2.6.3, which will include bug fixes and a replacement for AtoM’s Flash-based multi-uploader. Please see this previous forum thread for more information:

• https://groups.google.com/g/ica-atom-users/c/WdK6VxWfQiA/m/LHSC-4AWDQAJ 

Release 2.7 is loosely slated for release in Q3 of 2021. 

As always please let us know if you have any questions!

Cheers,

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

[matthewb...@gmail.com]

I applied the patch using git on my 2.6.1 version. I got no errors or responses. So I presume it was applied successfully. Is there a way to verify this?

[Jim Adamson]

Hello,

Log in to the web UI, go to Cog > Settings > Global. The version will display in the Application version field at the top. Hopefully it's updated to 2.6.2.

Another way is with git status/git log commands to tell you the state of your local repo. To be doubly sure you could have a look to see whether the updated files contain the same content as the ones on your server.

Thanks, Jim

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/5c71f9b0-420c-4823-bb96-b0539615f918n%40googlegroups.com.

--

Jim Adamson

Systems Administrator/Developer
Facilities Management Systems
IT Services

LFA/237 | Harry Fairhurst building | University of York | Heslington | York | YO10 5DD

+44 (0)1904 323859

Email disclaimer: https://www.york.ac.uk/docs/disclaimer/email.htm

[Dan Gillean]

Hi Jim and Matthew, 

If you're applying the patch to a 2.6.0 or 2.6.1 installation, rather than using the tarball to perform an upgrade, then the version number in AtoM's settings will likely NOT change. The patch is just a small piece of code that's applied directly to the affected file, while an upgrade includes additional internal changes that will bump versioning, etc. 

Going and actually verifying that apps/qubit/modules/user/actions/clipboardSaveAction.class.php reflects the changes in the commit that Jim linked above is probably the best way to get peace of mind that the changes are in place. If you've used git, then Jim's suggestions for status or log options are good as well - but they won't apply in the same way if you've used patch. There are some suggestions in this StackExchange thread for checking that, but since our patch just affects one file, I would personally find it quicker to just change directories to the relevant file, open it in the terminal, and check if it matches the changes found in the relevant commit. 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/CAEz_m%3DTQKy9gujucu7x7-WJwVJeKVWgXcHFOGQOLtgdASLq4mg%40mail.gmail.com.