ssmusoke
(Stephen Senkomago Musoke)
December 1, 2015, 7:03am
1
Continuing the discussion from OpenMRS Security Advisories: 2015-11-30 :
I can see that there is currently no release for 1.9.10 - I would like to volunteer to do so. However I need permissions to be able to - so @helpdesk1 please advise.
We’ve released new versions of OpenMRS Platform 1.11.x , the Serialization.Xstream module , and the Metadata Sharing module to address the security issues below:
Affected: OpenMRS Core
Severity: Major
Exploit: Remote Code Execution by an authenticated user
Affected: Serialization.Xstream module
Severity: Major
Exploit: Remote Code Execution by an authenticated user
Affected: Metadata Sharing module
Severity: Major
Exploit: Remote Code Execution by an authenticated user
##Who is affected?##
Anyone running OpenMRS Platform (1.9.0 and later)
Anyone running OpenMRS Reference Application 2.0, 2.1, 2.2, 2.3
Anyone that has installed the serialization.xstream module except for the newly released 0.2.10 version.
Anyone that has installed the metadatasharing module except for the newly release 1.1.10 version.
##Recommendations ##
Anyone running the OpenMRS Platform(1.9.0 and later) should upgrade to the latest releases of the platform which are 1.11.5 , 1.10.3 and 1.9.10 of course one would have to get a version that is at least higher than what they’re currently running. If you are also running the serialization.xstream or metadatasharing modules you should upgrade to the latest version (0.2.10 for serialization.xstream; 1.1.10 for metadatasharing). Note that because of a bug in modules.openmrs.org the latest version of these modules is not at the top of the list, and the Download link on the top right is incorrect. Please carefully find the version numbers mentioned here.
Anyone running any version of the Reference Application released so far (2.0-2.3) needs to either upgrade to the 2.3.1(or later) version of the reference application, or else do the following:
Replace the platform war file with any of the latest releases of the platform war file which are 1.11.5, 1.10.3 and 1.9.10 that is at least higher than what they are currently running.
Install the following versions of the following modules:
We urge you to make the recommended changes as soon as possible.
A huge thanks to Brian D. Hysell and Gjoko Krstic who discovered and reported these issues. We also can’t forget to thank all the OpenMRS developers that have helped us in addressing these issues.
michael
(Michael Downey)
December 1, 2015, 12:16pm
2
This is already done, but thank you for volunteering!
The latest minor releases have been uploaded to sourceforge, you can download them at 1.11.5 , 1.10.3 and 1.9.10 , thank you for your patience.
Would you be interested in considering a volunteer role a release manager for an upcoming release? You can chat with @maurya at omrs15 to learn more.
ssmusoke
(Stephen Senkomago Musoke)
December 1, 2015, 12:32pm
3
@maurya I will look for you in Singapore to learn more