SECURITY RELEASE ANNOUNCEMENT: AtoM 2.5.3 now publicly available

[Dan Gillean]

Greetings AtoM community members, 

We have another new security release available today for public download and installation. 

We’ve closed 4 issues in this release, including a security patch and a fix for a permissions regression introduced in 2.5.0 that was affecting custom groups. We encourage all 2.5.x users to upgrade as soon as possible. 

Release links: 

• AtoM 2.5.3 full release announcement

• AtoM Downloads page

• Release 2.5.3 Roadmap / Overview

• 2.5.3 issues organized by category

Security patch

A regression has been discovered in releases 2.5 and 2.5.1 that exposes AtoM users to a potential cross-site scripting (XSS) vulnerability. We attempted to fix this in release 2.5.2, but thanks to help from several community members using AtoM’s new security reporting policy, we have discovered a few other inputs that were not properly being escaped. 

This 2.5.3 release includes a patch that introduces a new global field escaping strategy to fix the regression, rather than patching issues locally as they are discovered. 

• Related issue ticket: #13192 

We encourage all 2.5.x users to upgrade as soon as possible. For those who are concerned about this issue but unable to upgrade at this time, disabling Markdown via Admin > Settings > Markdown will also circumvent the issue until upgrading is possible.

Alternatively, users could apply the following commit as a patch to a 2.5.2 installation to resolve the issue in their current installation: 

• https://github.com/artefactual/atom/commit/5b6b6ee95a7b89125208eb81813be07e333499af

Bug fixes

In addition to the security patch described above, we have also closed 3 other issues, including fixing a regression introduced in 2.5.0 that was affecting custom group permissions. You can view more details on these tickets in our issue tracker, at the following links: 

• Release 2.5.3 Roadmap / Overview

• 2.5.3 issues organized by category

Visit the Downloads page to download the most recent release, and consult the 2.5 Upgrading and Installation guides in our documentation for further information.

 

Thank you to all of our community members for helping to make this release possible. As always, let us know if you have any questions! 

 

Cheers,  

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

[Matthew Bruton]

Dan,

I upgraded to this and have a quick question.

When I went to install in the nginx/atom folder it told me it could not because it was already there.

I just created another folder called atom2.5.3 and ran the install from there.

Was there another way I should have done it? This aspect is not explained in the documentation both on upgradinig and installing atom.

Thanks,

Matthew 

[Dan Gillean]

Hi Matthew, 

That approach can work, but it may be easier to do it the other way: that is, move the entire older AtoM directory to atom_old or something similar, and then rename your atom2.5.3 directory to atom, so you can follow the rest of the instructions as needed. You'll also need to restart PHP-FPM, memcached and the atom-worker as part of this - you can find tips on how to do that on the Troubleshooting page: 

• https://www.accesstomemory.org/docs/latest/admin-manual/maintenance/troubleshooting/#troubleshooting-restart-services 

In the future, I agree that it would be helpful in the Upgrading documentation to provide an example of how to install a new version of AtoM on the same server in a separate directory, but we haven't had the chance to fully test and document each step. 

Let us know how it goes! 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/cf478677-ffaf-4e90-8bf0-e308c1c97c83%40googlegroups.com.

[Matthew Bruton]

Thanks Dan.

Helpful as always.

One super quick question:

I went with the changing the timeout length option. And, as I said creating a new folder.  Then installed and compiled CSS files.

After restarting and loading up,  all my archival descriptions were still there, though the atom version was upgraded properly (at least it was no longer giving me the notice on top)

Is this supposed to happen? I'm not complaining because it saved me backing up, but you may have other thoughts.

[Dan Gillean]

Hi Matthew, 

Without knowing your exact server set up or what you've done at every step of the process, it's difficult to say. However, if you've created a new directory and then followed all the steps to install and set things up in that new directory, then your data shouldn't already be loaded in the new database. If you've left the old installation running and have followed the instructions exactly, then the issue may be that now you have two instances of a MySQL database called "atom" for instance - so when you navigate to the web, it's likely still pointing to the old one. 

For this reason, I would recommend that you make a backup, then try running the tools purge command to purge everything, so you know the data is gone. Do NOT run this task unless you are certain your data is backed up - it will delete everytihng! Remove the old installation at this point, and then load the data in the new instance and run the upgrade task, per the upgrade instructions. 

You can then try running the tools:get-version command to confirm that you now have version 2.5.3 installed: 

• php symony tools:get-version
• See:  https://www.accesstomemory.org/docs/latest/admin-manual/maintenance/cli-tools/#find-out-what-version-of-atom-you-re-running

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

On Mon, Nov 4, 2019 at 6:28 AM Matthew Bruton <matthewb...@gmail.com> wrote:

Thanks Dan.

Helpful as always.

One super quick question:

I went with the changing the timeout length option. And, as I said creating a new folder.  Then installed and compiled CSS files.

So all my files were still there. ( I didn't bother with the backup).

Is this supposed to happen? I'm not complaining because it saved me backing up, but you may have other thoughts.

--

You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/47486a86-8d43-4e95-b637-c65a909c044b%40googlegroups.com.