Difference between revisions of "Archivematica 1.11.1"
| (4 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
'''Release date: 20 May 2020''' | '''Release date: 20 May 2020''' | ||
| − | + | This release fixes a critical security issue found in the Archivematica dashboard that allows unauthorized users to access some parts of the Administration tab. | |
This issue was discovered as a result of a security audit by Scholars Portal. It was not discovered as a result of a breach. Scholars Portal reported the issue to Artefactual privately via email. Once we became aware of the issue, we began to develop the fix. Artefactual has also implemented security reporting process documentation across Archivematica-related GitHub repositories and changed issue templates to reflect a more secure process. You can review Archivematica’s security reporting process here: https://github.com/artefactual/archivematica/security/policy. | This issue was discovered as a result of a security audit by Scholars Portal. It was not discovered as a result of a breach. Scholars Portal reported the issue to Artefactual privately via email. Once we became aware of the issue, we began to develop the fix. Artefactual has also implemented security reporting process documentation across Archivematica-related GitHub repositories and changed issue templates to reflect a more secure process. You can review Archivematica’s security reporting process here: https://github.com/artefactual/archivematica/security/policy. | ||
| Line 45: | Line 45: | ||
</pre> | </pre> | ||
| + | After the fix has been applied, please be sure to update passwords and API keys: | ||
| + | * Change the password and API key for the Storage Service user: | ||
| + | ** In the Storage Service, change the password for the Storage Service user that the Archivematica dashboard uses. This will also regenerate the API key for the Storage Service user. | ||
| + | ** In the Archivematica dashboard, under Administration > General, update the Storage Service user password and the API key to reflect the new password/key. | ||
| + | * Change the password for AtoM/Binder DIP upload. | ||
| + | * Review the PREMIS agent information to ensure that it is correct. | ||
| + | |||
| + | <div style="padding: 10px 10px; border: 1px solid black; background-color: #F79086;">Note: if you are upgrading from Archivematica 1.10.x or earlier, please be sure to clean up the completed transfers watched directory before upgrading. Instructions can be found on the [https://www.archivematica.org/en/docs/archivematica-1.11/admin-manual/installation-setup/upgrading/upgrading/#upgrade Upgrading] page in the documentation. </div> <p> | ||
==Fixed== | ==Fixed== | ||
| − | * [ | + | * [https://github.com/archivematica/Issues/milestone/14 1.11.1 milestone] |
Latest revision as of 16:28, 30 June 2020
Home > Release Notes > Archivematica 1.11.1
Release date: 20 May 2020
This release fixes a critical security issue found in the Archivematica dashboard that allows unauthorized users to access some parts of the Administration tab.
This issue was discovered as a result of a security audit by Scholars Portal. It was not discovered as a result of a breach. Scholars Portal reported the issue to Artefactual privately via email. Once we became aware of the issue, we began to develop the fix. Artefactual has also implemented security reporting process documentation across Archivematica-related GitHub repositories and changed issue templates to reflect a more secure process. You can review Archivematica’s security reporting process here: https://github.com/artefactual/archivematica/security/policy.
Upgrading[edit]
The fix can be easily installed since this issue only affects the dashboard.
CentOS users relying on Archivematica packages should run:
sudo yum -y update archivematica-dashboard
sudo systemctl restart archivematica-dashboard
Automated installations using Ansible should deploy from our stable branches: stable/1.9.x, stable/1.10.x or stable/1.11.x.
Alternately, a fix can be applied to the web server. The following configuration snippet shows an updated Nginx server block with the additional rule added.
server {
listen 80;
client_max_body_size 256M;
server_name _;
location / {
set $upstream_endpoint http://archivematica-dashboard:8000;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_buffering off;
proxy_read_timeout 172800s;
proxy_pass $upstream_endpoint;
}
# Directive to block access to admin pages in
# Archivematica v1.11.0 or older.
location ~ ^/administration/accounts/login/.+$ {
return 404;
}
}
After the fix has been applied, please be sure to update passwords and API keys:
- Change the password and API key for the Storage Service user:
- In the Storage Service, change the password for the Storage Service user that the Archivematica dashboard uses. This will also regenerate the API key for the Storage Service user.
- In the Archivematica dashboard, under Administration > General, update the Storage Service user password and the API key to reflect the new password/key.
- Change the password for AtoM/Binder DIP upload.
- Review the PREMIS agent information to ensure that it is correct.