Difference between revisions of "Archivematica 1.11.1"

Home > Release Notes > Archivematica 1.11.1

Release date: 20 May 2020

These release fixes a critical security issue found in the Archivematica dashboard that allows unauthorized users to access some parts of the Administration tab.

This issue was discovered as a result of a security audit by Scholars Portal. It was not discovered as a result of a breach. Scholars Portal reported the issue to Artefactual privately via email. Once we became aware of the issue, we began to develop the fix. Artefactual has also implemented security reporting process documentation across Archivematica-related GitHub repositories and changed issue templates to reflect a more secure process. You can review Archivematica’s security reporting process here: https://github.com/artefactual/archivematica/security/policy.

Upgrading

The fix can be easily installed since this issue only affects the dashboard.

CentOS users relying on Archivematica packages should run:

    sudo yum -y update archivematica-dashboard
    sudo systemctl restart archivematica-dashboard

Automated installations using Ansible should deploy from our stable branches: stable/1.9.x, stable/1.10.x or stable/1.11.x.

Alternately, a fix can be applied to the web server. The following configuration snippet shows an updated Nginx server block with the additional rule added.

  server {
     listen 80;
     client_max_body_size 256M;
     server_name _;
     location / {
         set $upstream_endpoint http://archivematica-dashboard:8000;
         proxy_set_header Host $http_host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_redirect off;
         proxy_buffering off;
         proxy_read_timeout 172800s;
         proxy_pass $upstream_endpoint;
     }

     # Directive to block access to admin pages in
     # Archivematica v1.11.0 or older.
     location ~ ^/administration/accounts/login/.+$ {
         return 404;
     }
  }

Fixed

• 1.11.1 milestone