SECURITY RELEASE ANNOUNCEMENT: AtoM 2.6.2 now available

111 views
Skip to first unread message

Dan Gillean

unread,
Feb 4, 2021, 3:55:11 PM2/4/21
to ICA-AtoM Users

Greetings AtoM community members,


We have a new security release available today for public download and installation. 


AtoM 2.6.2 includes just one issue fix (#13470), patching a blind SQL injection vulnerability on the clipboard. We would like to thank the United Nations Archives and Records Management Section and the Carleton University Library for reporting this issue to us, using our Security reporting guidelines. Further details have been included on the official 2.6.2 release page on the AtoM wiki. 


This issue affects releases 2.4.x, 2.5.x, and 2.6.x. We recommend all users upgrade to version 2.6.2 as soon as possible. Visit the Downloads page to download the most recent release, and consult the 2.6 Upgrading and Installation guides in our documentation for further information.


For users who are unable to upgrade at this time, patches for 2.4, 2.5, and 2.6 have been made available that can be applied directly to a production installation, along with basic instructions for applying the patch, on the related issue ticket. See:



Our next AtoM release will be 2.6.3, which will include bug fixes and a replacement for AtoM’s Flash-based multi-uploader. Please see this previous forum thread for more information:



Release 2.7 is loosely slated for release in Q3 of 2021. 


As always please let us know if you have any questions!


Cheers,


Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056
@accesstomemory
he / him

matthewb...@gmail.com

unread,
Feb 8, 2021, 7:29:39 AM2/8/21
to AtoM Users

I applied the patch using git on my 2.6.1 version. I got no errors or responses. So I presume it was applied successfully. Is there a way to verify this?

Jim Adamson

unread,
Feb 8, 2021, 9:59:55 AM2/8/21
to ica-ato...@googlegroups.com
Hello,

Log in to the web UI, go to Cog > Settings > Global. The version will display in the Application version field at the top. Hopefully it's updated to 2.6.2.

Another way is with git status/git log commands to tell you the state of your local repo. To be doubly sure you could have a look to see whether the updated files contain the same content as the ones on your server.

Thanks, Jim

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/5c71f9b0-420c-4823-bb96-b0539615f918n%40googlegroups.com.


--
Jim Adamson
Systems Administrator/Developer
Facilities Management Systems
IT Services
LFA/237 | Harry Fairhurst building | University of York | Heslington | York | YO10 5DD

Dan Gillean

unread,
Feb 8, 2021, 11:18:48 AM2/8/21
to ICA-AtoM Users
Hi Jim and Matthew, 

If you're applying the patch to a 2.6.0 or 2.6.1 installation, rather than using the tarball to perform an upgrade, then the version number in AtoM's settings will likely NOT change. The patch is just a small piece of code that's applied directly to the affected file, while an upgrade includes additional internal changes that will bump versioning, etc. 

Going and actually verifying that apps/qubit/modules/user/actions/clipboardSaveAction.class.php reflects the changes in the commit that Jim linked above is probably the best way to get peace of mind that the changes are in place. If you've used git, then Jim's suggestions for status or log options are good as well - but they won't apply in the same way if you've used patch. There are some suggestions in this StackExchange thread for checking that, but since our patch just affects one file, I would personally find it quicker to just change directories to the relevant file, open it in the terminal, and check if it matches the changes found in the relevant commit

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056
@accesstomemory
he / him

Reply all
Reply to author
Forward
0 new messages