dhis2-devs team mailing list archive

Thread
Date

security issue - upgrade action required for 2.28 and older versions

To: DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>, DHIS 2 Users list <dhis2-users@xxxxxxxxxxxxxxxxxxx>, security@xxxxxxxxx, dhis2-system-administrators@xxxxxxxxxxxxxxxx
From: Lars Helge Øverland <lars@xxxxxxxxx>
Date: Thu, 15 Nov 2018 13:05:20 +0100

Hi all,

a potential serious security issue has been discovered with one of the
libraries used by DHIS 2. The issue can potentially allow attackers to
write or copy files to disk in arbitrary locations. The attacker needs to
be logged in to DHIS 2 (authenticated) to do this.

The affected versions are *DHIS 2.28 and older*.

We have patched the following versions: 2.25, 2.26, 2.27, 2.28.

We recommend that you upgrade to the latest build of the mentioned releases
if you are affected. We won't disclose more info about this issue on the
public mailing list.


best,

Lars


-- 

Lars Helge Øverland
Technical lead, DHIS 2
University of Oslo
lars@xxxxxxxxx
https://www.dhis2.org

Follow ups

Re: [Dhis2-users] security issue - upgrade action required for 2.28 and older versions
From: tuzo engelbert, 2018-11-15