Platform Release Notes 1.11.5

Owned by Wyclif Luyima
Last updated: Dec 02, 2015
2 min read

Release Date: Monday November 30th 2015 

This version of the OpenMRS Platform is not intended for use by implementations running reference application other than OpenMRS 2.2 and above, because it has several incompatible changes that will break some modules.

 

What's New

This release is "OpenMRS Platform 1.11.5" and is a maintenance release version of the under-the-hood OpenMRS API that follows 1.11.4. The only difference between this release and Platform 1.11.4 is that we've addressed 2 major security vulnerabilities which would allow an authenticated user to  remotely execute arbitrary code via XML deserialization and spring's expression language support feature.

For the time being, we are in an awkward phase, where the legacy UI remains within the OpenMRS Platform and the new OpenMRS UI has not fully replaced the legacy UI. As a result, many implementations will continue to use the platform without the new web application and people will continue to be confused by the naming of "OpenMRS Platform". We are working hard to resolve this by OpenMRS 2.4, when implementations will be able to upgrade into the new application and the legacy UI can be retired from the platform.

To upgrade from a pre 1.10 version, you will certainly need to read Prepare for Upgrading From a Pre-1.10 to 1.10 or Later Version

Bug Fixes

  • Disabled serialization and deserialization of dynamic proxies
  • Disabled deserialization of external entities in XML files
  • Disabled spring's Expression Language support

Who is this release meant for?

  • Anyone running OpenMRS Platform

  • Anyone running OpenMRS Reference Application 2.2 and 2.3

 

If you are running serialization.xstream or metadata sharing or reporting module, they expose some security risks too, so you're strongly recommended to upgrade them to the versions below:

Serialization.xstream 0.2.10 or later

Metadata sharing 1.1.10 or later

Reporting 0.9.8.1 or later

Community Input

A huge thanks to the people that contributed code to this release, not to mention all the people that contributed in countless other ways to support this release and be a great part of the shaping it and the whole infrastructure team!

We welcome any user to download OpenMRS 1.11.5 and try it out, give us feedback.

If you to run into any bugs, send a message via talk or create a new JIRA ticket (click upper right icon).

Download

OpenMRS Platform 1.11.5 represents revision: a0c979f7da855444cbec33e5d751d5029d1db5d2

Download OpenMRS Platform 1.11.5

Bundled Modules

Rest Web Services 2.12