[ome-users] Release of OMERO 5.4.7 including SECURITY FIX

[Jean-Marie Burel (Staff)]

Dear All,

Today we are releasing OMERO 5.4.7, a bug-fix release which also introduces some new functionality.

It includes security fixes for 2018-SV1 POST password [1], 2018-SV2 Script Name UUID [2] and 2018-SV3 Modify User Password [3]. It is highly recommended that you upgrade.

Impacts of the security vulnerability fixes include:

* omero.security.password_required=false no longer applies for
  administrators: their correct password is always required
* administrators can no longer change the password of other
  administrators who are more privileged in any way
* administrators can no longer reset their password and receive the new
  one by e-mail: they must instead have another administrator who is at
  least as privileged set a new password manually
* cli: the session UUID has been removed from the standard output when
  logging in but can still be retrieved using `bin/omero sessions key`

Improvements include:

*  web: fix loss of privileges when editing full admins
*  web: fix exceptions on invalid connections
*  web: fix CSS in group/user search element
*  web: fix error when public user is disabled
*  web: gray out user role when editing root user
*  insight: permit open_with on original files
*  read-only: reduce error logging for scripts and pixel data
*  scripts: improve error messages for invalid MATLAB
*  as well as various documentation improvements

Sysadmin improvements include:

*  log locale and time zone information on startup

Developer updates include:

*  cli: clean up "communicator not destroyed" logging
*  cli: don't hang when incorrect password passed in a script
*  java: add a map annotation example
*  java: throw a clear exception when -1 is used for all groups
*  web: fix @render_response when extending base templates
*  matlab: contributions from Kouichi Nakamura for working with annotations

This release also upgrades the version of Bio-Formats which OMERO
uses to 5.9.0. **Note:** this is a significant upgrade and will
invalidate the Bio-Formats Memoizer cache. Please see the upgrade
guide for further information.

OME policy is that security releases should not invalidate the Bio-Formats Memoizer cache. However, our previous OMERO 5.4.6 release accidentally included a Bio-Formats merge artifact that did not receive the quality assurance we require of release versions. We have now updated the version of Bio-Formats included in OMERO 5.4.7 and this will cause a refresh of the Memoizer cache. We apologize for this unfortunate mistake and for the extra work required by our users. We have adjusted the internal processes that caused it.


Upgrade information is on the server upgrade page - https://docs.openmicroscopy.org/omero/5.4.7/sysadmins/server-upgrade.html.

The software is also available at https://downloads.openmicroscopy.org/omero/5.4.7.

Any problems or comments, please use the OME Forums or mailing lists - https://www.openmicroscopy.org/support/


Regards,

The OME Team

[1] https://www.openmicroscopy.org/security/advisories/2018-SV1-post-password/
[2] https://www.openmicroscopy.org/security/advisories/2018-SV2-script-name-uuid/
[3] https://www.openmicroscopy.org/security/advisories/2018-SV3-modify-user-password/

The University of Dundee is a registered Scottish Charity, No: SC015096
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20180726/937df714/attachment.html>