Version 4.2.12¶
Released: November 13, 2022
Status: Maintenance
Changes¶
This version includes all fixes from version 4.1.10.
Security¶
A patch was added to close Python’s vulnerability CVE-2007-4559
https://nvd.nist.gov/vuln/detail/CVE-2007-4559
This is a language level vulnerability which exposed older versions of Mayan EDMS only when downloading JavaScript dependencies from the NPM registry.
Exploiting this vulnerability requires compromising an existing package hosted on the NPM registry and adding Python code specifically targeting Mayan EDMS. As part of the project’s design philosophies, dependencies are only downloaded from authoritative locations and each dependency is pinned to a specific version to guarantee immutable releases.
Due to all these factors, the surface of attack of this vulnerability is very limited for older versions of Mayan EDMS, it is also very improbable, very difficulty to accomplish and very difficult to remain undetected.
There are no known actual or theoretical attacks for Mayan EDMS exploiting this vulnerability.
Other¶
Add a subclass of
Paththat adds the methodis_relative_tofor Python versions lower than 3.9.
Removals¶
None
Upgrade process¶
Docker Compose¶
Check the Docker upgrading chapter for the complete upgrade process.
Direct deployment¶
Upgrading from Mayan EDMS 3.5.x¶
Important
Supervisord must be upgraded to version 4.2.2. See troubleshooting section: After upgrade to version 4.1
Stop supervisord:
sudo systemctl stop supervisor
Make a backup of your supervisord file:
sudo cp /etc/supervisor/conf.d/mayan-edms.conf /etc/supervisor/conf.d/mayan-edms.conf.bck
Make a backup of your database:
Use the respective backup command for the database:
Upgrade to the latest pip version:
sudo --user=mayan /opt/mayan-edms/bin/pip install --upgrade pip
Remove deprecated requirements:
sudo --user=mayan curl https://gitlab.com/mayan-edms/mayan-edms/raw/master/removals.txt --output /tmp/removals.txt \ && sudo --user=mayan /opt/mayan-edms/bin/pip uninstall --requirement /tmp/removals.txt --yes
Update the Mayan EDMS Python package:
sudo --user=mayan /opt/mayan-edms/bin/pip install mayan-edms==4.4.5
the requirements will also be updated automatically.
Update the Redis configuration to serve at least 3 databases:
Replace:
databases ...with:
databases 3Restart Redis for the changes to take effect:
sudo systemctl restart redis
Edit the config file at
/opt/mayan-edms/media/config.yml:Replace:
LOCK_MANAGER_BACKEND: ... LOCK_MANAGER_BACKEND_ARGUMENTS: ...
with:
LOCK_MANAGER_BACKEND: mayan.apps.lock_manager.backends.redis_lock.RedisLock LOCK_MANAGER_BACKEND_ARGUMENTS: {'redis_url':'redis://:mayanredispassword@<IP address of Redis server>:6379/2'}
Update the supervisord configuration file. Replace the environment variables values shown here with your respective settings. This step will refresh the supervisord configuration file with the new queues and the latest recommended layout:
sudo --user=mayan MAYAN_MEDIA_ROOT=/opt/mayan-edms/media/ \ /opt/mayan-edms/bin/mayan-edms.py platformtemplate supervisord | sudo sh -c "cat > /etc/supervisor/conf.d/mayan-edms.conf"
Edit the supervisord configuration file and update any setting specific to your installation:
sudo vi /etc/supervisor/conf.d/mayan-edms.conf
Migrate existing database schema and static media files with:
sudo --user=mayan MAYAN_MEDIA_ROOT=/opt/mayan-edms/media/ \ /opt/mayan-edms/bin/mayan-edms.py performupgrade
Start supervisord:
sudo systemctl start supervisor
Clear the browser cache to avoid loading old web assets.
The upgrade procedure is now complete.
Troubleshooting¶
Follow the solutions outlined in the troubleshooting section: After upgrade to version 4.1
Backward incompatible changes¶
None
Issues closed¶
None