Release Date: Monday November 30th 2015
This version of the OpenMRS Platform is not intended for use by implementations running reference application other than OpenMRS 2.0.
This release is "OpenMRS Platform 1.9.10" and is a maintenance release version of the under-the-hood OpenMRS API that follows 1.9.9. The only difference between this release and Platform 1.9.9 is that we've addressed 2 major security vulnerabilities which would allow an authenticated user to remotely execute arbitrary code via XML deserialization and spring's expression language support feature.
For the time being, we are in an awkward phase, where the legacy UI remains within the OpenMRS Platform and the new OpenMRS UI has not fully replaced the legacy UI. As a result, many implementations will continue to use the platform without the new web application and people will continue to be confused by the naming of "OpenMRS Platform". We are working hard to resolve this by OpenMRS 2.3, when implementations will be able to upgrade into the new application and the legacy UI can be retired from the platform.
- Disabled serialization and deserialization of dynamic proxies
- Disabled deserialization of external entities in XML files
- Disabled spring's Expression Language support
Who is this release meant for?
Anyone running OpenMRS Platform 1.9.x or older versions
Anyone running OpenMRS Reference Application 2.0
A huge thanks to the people that contributed code to this release, not to mention all the people that contributed in countless other ways to support this release and be a great part of the shaping it and the whole infrastructure team!
We welcome any user to download OpenMRS 1.9.10 and try it out, give us feedback.
OpenMRS Platform 1.9.10 represents revision: f5ae64504b92c535139d16a1eb115c50204801d2