Platform Release Notes 1.9.10

Owned by Wyclif Luyima
Dec 02, 2015
2 min read

Release Date: Monday November 30th 2015 

This version of the OpenMRS Platform is not intended for use by implementations running reference application other than OpenMRS 2.0.

 

What's New

This release is "OpenMRS Platform 1.9.10" and is a maintenance release version of the under-the-hood OpenMRS API that follows 1.9.9. The only difference between this release and Platform 1.9.9 is that we've addressed 2 major security vulnerabilities which would allow an authenticated user to  remotely execute arbitrary code via XML deserialization and spring's expression language support feature.

For the time being, we are in an awkward phase, where the legacy UI remains within the OpenMRS Platform and the new OpenMRS UI has not fully replaced the legacy UI. As a result, many implementations will continue to use the platform without the new web application and people will continue to be confused by the naming of "OpenMRS Platform". We are working hard to resolve this by OpenMRS 2.3, when implementations will be able to upgrade into the new application and the legacy UI can be retired from the platform.

Bug Fixes

  • Disabled serialization and deserialization of dynamic proxies
  • Disabled deserialization of external entities in XML files
  • Disabled spring's Expression Language support

 

Who is this release meant for?

  • Anyone running OpenMRS Platform 1.9.x or older versions

  • Anyone running OpenMRS Reference Application 2.0

 

If you are running serialization.xstream or metadata sharing or reporting module, they expose some security risks too, so you're strongly recommended to upgrade them to the versions below:

Serialization.xstream 0.2.10 or later

Metadata sharing 1.1.10 or later

Reporting 0.9.8.1 or later

Community Input

A huge thanks to the people that contributed code to this release, not to mention all the people that contributed in countless other ways to support this release and be a great part of the shaping it and the whole infrastructure team!

We welcome any user to download OpenMRS 1.9.10 and try it out, give us feedback.

If you to run into any bugs, send a message via talk or create a new JIRA ticket (click upper right icon).

Download

OpenMRS Platform 1.9.10 represents revision: f5ae64504b92c535139d16a1eb115c50204801d2

Download OpenMRS Platform 1.9.10

Bundled Modules