Version 4.3.3

Tue, Nov 15, 2022

Version 4.3.3

Released: November 15, 2022

Status: Stable

Changes

This version includes all fixes from version 4.2.12.

Security

A patch was added to close Python's vulnerability CVE-2007-4559

https://nvd.nist.gov/vuln/detail/CVE-2007-4559

This is a language level vulnerability which exposed older versions of Mayan EDMS only when downloading JavaScript dependencies from the NPM registry.

Exploiting this vulnerability requires compromising an existing package hosted on the NPM registry and adding Python code specifically targeting Mayan EDMS. As part of the project's design philosophies, dependencies are only downloaded from authoritative locations and each dependency is pinned to a specific version to guarantee immutable releases.

Due to all these factors, the surface of attack of this vulnerability is very limited for older versions of Mayan EDMS, it is also very improbable, very difficulty to accomplish and very difficult to remain undetected.

There are no known actual or theoretical attacks for Mayan EDMS exploiting this vulnerability.

Removals

  • None

Backward incompatible changes

  • None

Deprecations

  • None

Issues closed

  • None