NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
Hello THREDDS users, A security vulnerability has been reported for TDS 5, refreshingly not related to logging: a validation error on the "filename" parameter in the notebook service allows malevolent users to request files outside the TDS content directory. The bug has been fixed and a new snapshot of TDS 5.4 has been published (see downloads <https://www.unidata.ucar.edu/downloads/tds/>). Alternatively, you can turn off the notebook service, in lieu of upgrading, by following the instructions here <https://docs.unidata.ucar.edu/tds/current/userguide/customizing_tds_look_and_feel.html#enabledisable-notebook-service> . *Affected versions* The bug was introduced in *TDS 5.0.0-beta9*, and exists in all versions of TDS 5.x prior to today's release. Beta versions prior to and including TDS 5.0.0-beta8 were not affected. *Upcoming releases* We still plan to put out official releases of TDS 5.4 and 4.6.20 very soon. We are aiming to do some backlogged bug-squashing prior to the release of 5.4, so keep an eye out for that release. best, THREDDS team -- Hailey Johnson (she/her) Software Engineer | THREDDS Developer Unidata | UCAR Community Programs (UCP)
thredds archives: