Archivematica 1.10.2
Home > Release Notes > Archivematica 1.10.2
Release date: 20 May 2020
This release fixes a critical security issue found in the Archivematica dashboard that allows unauthorized users to access some parts of the Administration tab.
This issue was discovered as a result of a security audit by Scholars Portal. It was not discovered as a result of a breach. Scholars Portal reported the issue to Artefactual privately via email. Once we became aware of the issue, we began to develop the fix. Artefactual has also implemented security reporting process documentation across Archivematica-related GitHub repositories and changed issue templates to reflect a more secure process. You can review Archivematica’s security reporting process here: https://github.com/artefactual/archivematica/security/policy.
Upgrading
The fix can be easily installed since this issue only affects the dashboard.
CentOS users relying on Archivematica packages should run:
sudo yum -y update archivematica-dashboard sudo systemctl restart archivematica-dashboard
Automated installations using Ansible should deploy from our stable branches: stable/1.9.x, stable/1.10.x or stable/1.11.x.
Alternately, a fix can be applied to the web server. The following configuration snippet shows an updated Nginx server block with the additional rule added.
server { listen 80; client_max_body_size 256M; server_name _; location / { set $upstream_endpoint http://archivematica-dashboard:8000; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; proxy_buffering off; proxy_read_timeout 172800s; proxy_pass $upstream_endpoint; } # Directive to block access to admin pages in # Archivematica v1.11.0 or older. location ~ ^/administration/accounts/login/.+$ { return 404; } }
After the fix has been applied, please be sure to update passwords and API keys:
- Change the password and API key for the Storage Service user:
- In the Storage Service, change the password for the Storage Service user that the Archivematica dashboard uses. This will also regenerate the API key for the Storage Service user.
- In the Archivematica dashboard, under Administration > General, update the Storage Service user password and the API key to reflect the new password/key.
- Change the password for AtoM/Binder DIP upload.
- Review the PREMIS agent information to ensure that it is correct.