Sevein at 16:38, 13 December 2021

2021-12-13T16:38:48Z

Sevein at 10:30, 13 December 2021

2021-12-13T10:30:50Z

Sevein: Created page with "Home > Release Notes > Archivematica 1.12.2 '''Release date: 13 Dic 2021''' This release fixes a critical security issue found in the Archive..."

2021-12-13T10:29:39Z

Created page with "Home > Release Notes > Archivematica 1.12.2 '''Release date: 13 Dic 2021''' This release fixes a critical security issue found in the Archive..."

New page

[[Main_Page|Home]] > [[Release_Notes|Release Notes]] > Archivematica 1.12.2

'''Release date: 13 Dic 2021'''

This release fixes a critical security issue found in the Archivematica dashboard that allows unauthorized users to access some parts of the Administration tab.

This issue was discovered as a result of a security audit by Scholars Portal. It was not discovered as a result of a breach. Scholars Portal reported the issue to Artefactual privately via email. Once we became aware of the issue, we began to develop the fix. Artefactual has also implemented security reporting process documentation across Archivematica-related GitHub repositories and changed issue templates to reflect a more secure process. You can review Archivematica’s security reporting process here: https://github.com/artefactual/archivematica/security/policy.

==Upgrading==

The fix can be easily installed since this issue only affects the dashboard.

CentOS users relying on Archivematica packages should run:

<pre>
sudo yum -y update archivematica-dashboard
sudo systemctl restart archivematica-dashboard
</pre>

Automated installations using Ansible should deploy from the stable branches: stable/1.12.x.

Alternately, a fix can be applied to the web server. The following configuration snippet shows an updated Nginx server block with the additional rule added.

<pre>
server {
listen 80;
client_max_body_size 256M;
server_name _;
location / {
set $upstream_endpoint http://archivematica-dashboard:8000;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_buffering off;
proxy_read_timeout 172800s;
proxy_pass $upstream_endpoint;
}

# Directive to block access to admin pages in
# Archivematica v1.11.0 or older.
location ~ ^/administration/accounts/login/.+$ {
return 404;
}
}
</pre>

After the fix has been applied, please be sure to update passwords and API keys:

* Change the password and API key for the Storage Service user:
** In the Storage Service, change the password for the Storage Service user that the Archivematica dashboard uses. This will also regenerate the API key for the Storage Service user.
** In the Archivematica dashboard, under Administration > General, update the Storage Service user password and the API key to reflect the new password/key.
* Change the password for AtoM/Binder DIP upload.
* Review the PREMIS agent information to ensure that it is correct.

<div style="padding: 10px 10px; border: 1px solid black; background-color: #F79086;">Note: if you are upgrading from Archivematica 1.10.x or earlier, please be sure to clean up the completed transfers watched directory before upgrading. Instructions can be found on the [https://www.archivematica.org/en/docs/archivematica-1.11/admin-manual/installation-setup/upgrading/upgrading/#upgrade Upgrading] page in the documentation. </div> <p>

← Older revision		Revision as of 16:38, 13 December 2021
Line 52:		Line 52:
	* Change the password for AtoM/Binder DIP upload.		* Change the password for AtoM/Binder DIP upload.
	* Review the PREMIS agent information to ensure that it is correct.		* Review the PREMIS agent information to ensure that it is correct.
−
−	<div style="padding: 10px 10px; border: 1px solid black; background-color: #F79086;">Note: if you are upgrading from Archivematica 1.10.x or earlier, please be sure to clean up the completed transfers watched directory before upgrading. Instructions can be found on the [https://www.archivematica.org/en/docs/archivematica-1.11/admin-manual/installation-setup/upgrading/upgrading/#upgrade Upgrading] page in the documentation. </div> <p>

@@ Line 18: / Line 18: @@
 </pre>
-Automated installations using Ansible should deploy from the stable branches: stable/1.12.x.
+Automated installations using Ansible should deploy from the stable branch: stable/1.12.x.
 Alternately, a fix can be applied to the web server. The following configuration snippet shows an updated Nginx server block with the additional rule added.

Archivematica 1.12.2 - Revision history

Sevein at 16:38, 13 December 2021

Sevein at 10:30, 13 December 2021

Sevein: Created page with "Home > Release Notes > Archivematica 1.12.2 '''Release date: 13 Dic 2021''' This release fixes a critical security issue found in the Archive..."