1-week notice for disclosure of embargoed patches!

Dear Community,

As you are aware, the following current patch releases contain Embargoed security fixes:

  • 2.34.7-EMBARGOED
  • 2.35.8-EMBARGOED
  • 2.36.4-EMBARGOED

Now that all patches containing the related security fixes are available we plan to disclose the issues, including releasing the fixes into our public open-source repository, in accordance with our vulnerability disclosure policy.

The disclosure will be made on Wednesday 27 October, one week from this announcement!

We strongly encourage you to update to the EMBARGOED versions prior to the disclosure to avoid continuing to run a system with disclosed vulnerabilities.
When we disclose, we will re-tag the currently embargoed releases without the -EMBARGOED suffix.

Yours,
The DHIS2 Release Team

4 Likes

UPDATE: Please note that the disclosure will now be delayed by a couple of days, for various reasons.
(this gives you a little extra time to update your version to a secure one if you haven’t already :wink: )

2 Likes

:innocent:Just waiting.

1 Like

Dear All,

The issues are now disclosed and patched across affected branches in the public repository.
Release tags have been updated (without the -EMBARGOED suffix) and war files, and docker images, generated accordingly.
We will be updating the downloads page, and other resources, in the next hours.

Thanks,
Phil

4 Likes