Dear all,
DHIS2 version 40.9.1 is out as a HOTFIX release to address critical vulnerabilities in v40.
- DHIS2-20195: Create-token User Override
- DHIS2-20243: No-ACL user lookup
Note: these issues can only be exploited by authenticated users.
This is the latest stable release for version 40, and supersedes release 40.9.0.
The release note for this patch can be found here: Patch 40.9.1 Release Note.
If you are unable to apply this patch for some time, advice for mitigating the risk can be found in this post.
Thanks!
DHIS2 Release Team
| Release Information | Links |
|---|---|
| Release Note | Patch 40.9.1 Release Note |
| Upgrade notes | 2.40 Upgrade notes |
| Download release and sample database | Downloads - DHIS2 |
| Documentation | Home - DHIS2 Documentation |
| Source code on Github | tag/2.40.9.1 |
| Demo instance | Login app | DHIS2 |
| Docker | docker pull dhis2/core:2.40.9.1 for more docker image variants see dockerhub |