DHIS2 patch release 2.35.13 is now available - [SECURITY HOTFIX]

Dear all,

DHIS2 version 2.35.13 (patch release) is out as a HOTFIX for the vulnerability referred to as “spring4shell”.

This is the latest stable release for version 2.35, and supersedes releases 2.35.0 to 2.35.12.

The release note for this patch can be found here: Patch 2.35.13 Release Note.

Thanks!

DHIS2 Release Team

Release Information Links
Release Note Patch 2.35.13 Release Note
Upgrade notes 2.35 Upgrade notes
Download release and sample database Downloads - DHIS2
Documentation and Javadocs Home - DHIS2 Documentation
Source code on Github Release 2.35.13 · dhis2/dhis2-core · GitHub
Demo instance DHIS 2 Demo - Sierra Leone
Docker docker pull dhis2/core:2.35.13
for more docker image variants see dockerhub
2 Likes

@phil Thanks as always for the quick work and context here.

What implications can we expect to find in general functionality of the system with the upgrade of the Spring library from 5.2.9 to 5.2.20, if any? Does this Spring library deal with anything specifically that we should check and make sure functions in the same was as previously constructed in previous versions in DHIS2?

2 Likes

Good questions @Matthew_Boddie! :+1::+1:

Hi @Matthew_Boddie

Although the Spring library version has been bumped by several patch versions, the changes are all bug fixes, which are not expected to negatively impact functionality. Therefore the tests which are performed as part of our builds, plus the smoke testing we perform on the produced war file, give us a good level of confidence in this patch.

As usual it is always advisable to follow a controlled update process appropriate for your implementation.
Implementations that wish to run longer and more comprehensive testing as part of their update process can run their production system on Java 8, in the meantime, to ensure continued security.

Kind regards,
Phil

2 Likes

@phil thanks for that–and makes sense. In general, if there were problems (which I hear you, we shouldn’t expect), where would it hit us? For example would it be in program rule expressions, program indicators, or perhaps in the sqlViews, etc? Any particular place where spring library functions?