Version 4.2.12

Released: November 13, 2022

Status: Maintenance

Changes

This version includes all fixes from version 4.1.10.

Security

A patch was added to close Python’s vulnerability CVE-2007-4559

https://nvd.nist.gov/vuln/detail/CVE-2007-4559

This is a language level vulnerability which exposed older versions of Mayan EDMS only when downloading JavaScript dependencies from the NPM registry.

Exploiting this vulnerability requires compromising an existing package hosted on the NPM registry and adding Python code specifically targeting Mayan EDMS. As part of the project’s design philosophies, dependencies are only downloaded from authoritative locations and each dependency is pinned to a specific version to guarantee immutable releases.

Due to all these factors, the surface of attack of this vulnerability is very limited for older versions of Mayan EDMS, it is also very improbable, very difficulty to accomplish and very difficult to remain undetected.

There are no known actual or theoretical attacks for Mayan EDMS exploiting this vulnerability.

Other

  • Add a subclass of Path that adds the method is_relative_to for Python versions lower than 3.9.

Removals

  • None

Upgrade process

Docker Compose

Check the Docker upgrading chapter for the complete upgrade process.

Backward incompatible changes

  • None

Issues closed

  • None