SECURITY RELEASE ANNOUNCEMENT: AtoM 2.5.2 now publicly available
87 views
Skip to first unread message
Dan Gillean
Aug 28, 2019, 12:48:51 PM8/28/19
to ICA-AtoM Users
Greetings AtoM community!
In order to provide consistent reporting and disclosure practices in the future, the AtoM project has developed a new Security Policy, which can be found in the AtoM code repository:
I'm pleased to announce that we have a new 2.5.2 release available for public download and installation.
We've closed 20 tickets in this release, including patching a security vulnerability that was introduced in the 2.5 release. We encourage all 2.5.x users to upgrade as soon as possible.
Release links
Security Patch
A regression has been discovered in releases 2.5 and 2.5.1 that exposes AtoM users to a potential cross-site scripting (XSS vulnerability. This release includes patches that resolve the issue. We encourage all 2.5.x users to upgrade as soon as possible.
The regression was introduced with the addition of full Markdown support in the 2.5 release. We have addressed the issue in this release with the following 2 commits, which a developer could potentially apply as a patch to an earlier 2.5.x release in lieu of upgrading:
The regression was introduced with the addition of full Markdown support in the 2.5 release. We have addressed the issue in this release with the following 2 commits, which a developer could potentially apply as a patch to an earlier 2.5.x release in lieu of upgrading:
For those who are concerned about this issue but unable to upgrade at this time, disabling Markdown via Admin > Settings > Markdown will also circumvent the issue until upgrading is possible.
New Security Policy
The security issue above was discovered thanks to helpful input from our AtoM community - thank you!
In order to provide consistent reporting and disclosure practices in the future, the AtoM project has developed a new Security Policy, which can be found in the AtoM code repository:
I will be making a separate post about this in the forum shortly, to share the details contained in the policy with the forum.
Updated job scheduler configuration
AtoM relies on a job scheduler called Gearman in order to execute certain long-running tasks asynchronously to guarantee that web requests are handled promptly and work loads can be distributed across multiple machines. Examples include imports via the user interface, finding aid and report generation, rights inheritance, date calculation, Archivematica DIP uploads, and more. You can read more about the installation process in our documentation here.
As AtoM shifts to using the job scheduler in more areas of the application, we have seen an increase of posts in the user forum of users reporting 500 errors due to the atom-worker requiring a restart. After some research, user input via the forum, and internal testing, we have revised the config file for the atom-worker service in systemd (for Ubuntu 16.04 and 18.04 installations), which should resolve the majority of these issues, and prevent the atom-worker from dying as often as previously.
You can find the updated configuration block in our documentation here:
As part of your upgrade, we recommend that you review the service configuration (located at /usr/lib/systemd/system/atom-worker.service) and update the atom-worker configuration as well!
AtoM relies on a job scheduler called Gearman in order to execute certain long-running tasks asynchronously to guarantee that web requests are handled promptly and work loads can be distributed across multiple machines. Examples include imports via the user interface, finding aid and report generation, rights inheritance, date calculation, Archivematica DIP uploads, and more. You can read more about the installation process in our documentation here.
As AtoM shifts to using the job scheduler in more areas of the application, we have seen an increase of posts in the user forum of users reporting 500 errors due to the atom-worker requiring a restart. After some research, user input via the forum, and internal testing, we have revised the config file for the atom-worker service in systemd (for Ubuntu 16.04 and 18.04 installations), which should resolve the majority of these issues, and prevent the atom-worker from dying as often as previously.
You can find the updated configuration block in our documentation here:
As part of your upgrade, we recommend that you review the service configuration (located at /usr/lib/systemd/system/atom-worker.service) and update the atom-worker configuration as well!
Bug fixes
In addition to the issues described above, we've also addressed 18 other bug reports in this release! You can view more details on each ticket in our issue tracker at the following links:
Visit the Downloads page to download the most recent release, and consult the 2.5 Upgrading and Installation guides in our documentation for further information.Thank you to all of our community members for helping to make this release possible. As always, let us know if you have any questions!
Cheers,
Reply all
Reply to author
Forward
0 new messages