Difference between revisions of "Archivematica 1.12.2"

From Archivematica
Jump to navigation Jump to search
(Created page with "Home > Release Notes > Archivematica 1.12.2 '''Release date: 13 Dic 2021''' This release fixes a critical security issue found in the Archive...")
 
Line 18: Line 18:
 
</pre>
 
</pre>
  
Automated installations using Ansible should deploy from the stable branches: stable/1.12.x.
+
Automated installations using Ansible should deploy from the stable branch: stable/1.12.x.
  
 
Alternately, a fix can be applied to the web server. The following configuration snippet shows an updated Nginx server block with the additional rule added.
 
Alternately, a fix can be applied to the web server. The following configuration snippet shows an updated Nginx server block with the additional rule added.

Revision as of 04:30, 13 December 2021

Home > Release Notes > Archivematica 1.12.2

Release date: 13 Dic 2021

This release fixes a critical security issue found in the Archivematica dashboard that allows unauthorized users to access some parts of the Administration tab.

This issue was discovered as a result of a security audit by Scholars Portal. It was not discovered as a result of a breach. Scholars Portal reported the issue to Artefactual privately via email. Once we became aware of the issue, we began to develop the fix. Artefactual has also implemented security reporting process documentation across Archivematica-related GitHub repositories and changed issue templates to reflect a more secure process. You can review Archivematica’s security reporting process here: https://github.com/artefactual/archivematica/security/policy.

Upgrading

The fix can be easily installed since this issue only affects the dashboard.

CentOS users relying on Archivematica packages should run:

    sudo yum -y update archivematica-dashboard
    sudo systemctl restart archivematica-dashboard

Automated installations using Ansible should deploy from the stable branch: stable/1.12.x.

Alternately, a fix can be applied to the web server. The following configuration snippet shows an updated Nginx server block with the additional rule added.

  server {
     listen 80;
     client_max_body_size 256M;
     server_name _;
     location / {
         set $upstream_endpoint http://archivematica-dashboard:8000;
         proxy_set_header Host $http_host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_redirect off;
         proxy_buffering off;
         proxy_read_timeout 172800s;
         proxy_pass $upstream_endpoint;
     }

     # Directive to block access to admin pages in
     # Archivematica v1.11.0 or older.
     location ~ ^/administration/accounts/login/.+$ {
         return 404;
     }
  }

After the fix has been applied, please be sure to update passwords and API keys:

  • Change the password and API key for the Storage Service user:
    • In the Storage Service, change the password for the Storage Service user that the Archivematica dashboard uses. This will also regenerate the API key for the Storage Service user.
    • In the Archivematica dashboard, under Administration > General, update the Storage Service user password and the API key to reflect the new password/key.
  • Change the password for AtoM/Binder DIP upload.
  • Review the PREMIS agent information to ensure that it is correct.
Note: if you are upgrading from Archivematica 1.10.x or earlier, please be sure to clean up the completed transfers watched directory before upgrading. Instructions can be found on the Upgrading page in the documentation.