Greetings AtoM community members,
We have another new security release available today for public download and installation.
We’ve closed 4 issues in this release, including a security patch and a fix for a permissions regression introduced in 2.5.0 that was affecting custom groups. We encourage all 2.5.x users to upgrade as soon as possible.
Release links:
Security patch
A regression has been discovered in releases 2.5 and 2.5.1 that exposes AtoM users to a potential cross-site scripting (XSS) vulnerability. We attempted to fix this in release 2.5.2, but thanks to help from several community members using AtoM’s new security reporting policy, we have discovered a few other inputs that were not properly being escaped.
This 2.5.3 release includes a patch that introduces a new global field escaping strategy to fix the regression, rather than patching issues locally as they are discovered.
Related issue ticket: #13192
We encourage all 2.5.x users to upgrade as soon as possible. For those who are concerned about this issue but unable to upgrade at this time, disabling Markdown via Admin > Settings > Markdown will also circumvent the issue until upgrading is possible.
Alternatively, users could apply the following commit as a patch to a 2.5.2 installation to resolve the issue in their current installation:
Bug fixes
In addition to the security patch described above, we have also closed 3 other issues, including fixing a regression introduced in 2.5.0 that was affecting custom group permissions. You can view more details on these tickets in our issue tracker, at the following links:
Visit the Downloads page to download the most recent release, and consult the 2.5 Upgrading and Installation guides in our documentation for further information.
Thank you to all of our community members for helping to make this release possible. As always, let us know if you have any questions!
Cheers,
Dan,
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/cf478677-ffaf-4e90-8bf0-e308c1c97c83%40googlegroups.com.
Thanks Dan.Helpful as always.One super quick question:I went with the changing the timeout length option. And, as I said creating a new folder. Then installed and compiled CSS files.
So all my files were still there. ( I didn't bother with the backup).
Is this supposed to happen? I'm not complaining because it saved me backing up, but you may have other thoughts.
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/47486a86-8d43-4e95-b637-c65a909c044b%40googlegroups.com.