Critical security release of OMERO.server 5.6.1 and OMERO.web 5.6.3

As previously announced, today we are releasing OMERO.server 5.6.1 which fixes several security vulnerabilities, one of them critical, so we urge everyone to upgrade as soon as possible. There are no known workarounds to the most severe vulnerability. We are also releasing OMERO.web 5.6.3 which fixes one security vulnerability and OMERO.py 5.6.2.

OMERO.server 5.6.1 runs in the same deployment environments as OMERO.server 5.6.0 and the Bio-Formats Memoizer cache will not be invalidated so the upgrade should be minor. The only client that you must upgrade is OMERO.web though we also recommend upgrading OMERO.py.

Security Fixes:

OMERO security fixes are available for only OMERO.server 5.6 and greater. The vulnerabilities fixed by this release are:

• 2019-SV1 Reader Used Files (medium)
• 2019-SV2 Group Permissions (medium)
• 2019-SV3 User Privacy (medium)
• 2019-SV4 Web Referrer Leakage (major)
• 2019-SV5 Bypass Filters (critical)
• 2019-SV6 Group Owner Context (low)

Mitigation:

If you cannot perform the upgrade at this time then we strongly recommend that you shut down your OMERO server until upgrade is possible. At the very least you should switch your server into read-only mode and block OMERO.blitz API access to all but omero-web. If you hold any private data on OMERO.server then you should firewall it so that login is available only to those who may read all the data. We have not determined that running OMERO 5.6.0 or earlier even with these restrictions is at all safe.

Installing the Software:

For full details of the changes with the OMERO 5.6 series see the OMERO 5.6.0 release announcement. OMERO.server 5.6.1 is designed to be a small step beyond the 5.6.0 release in order to simplify upgrade. Full documentation for this release is available under https://docs.openmicroscopy.org/omero/5.6.1/.

OMERO.server 5.6.1 is available from archived downloads and omero-web 5.6.3 also includes security fixes. These have been tested with omero-py 5.6.2 so we recommend that you upgrade OMERO.py on both server and web deployments.

Official Docker images are available as usual on Docker Hub with either the latest or the 5.6 tag:

• https://hub.docker.com/r/openmicroscopy/omero-web-standalone
• https://hub.docker.com/r/openmicroscopy/omero-server

You're invited to discuss this announcement here but installation issues may best be raised in a new topic.

All the best with your upgrades,

The OME Team

Release of OMERO 5.6.0 with Python 3

Today we are very excited (also proud, delighted and relieved) to announce the release of OMERO 5.6.0, the first Python3-based release of the OMERO server and web components. This release of OMERO also upgrades the version of Bio-Formats to 6.3.1.

All Python code can and must now be installed separately from the OMERO.server.zip, meaning that fixes can be released more quickly. This version does not require a database upgrade but only supports Python 3. We strongly encourage an immediate upgrade since maintenance of Python 2.7 ended promptly on New Year’s Day and all future OMERO security patches will only be available for OMERO 5.6 and greater.

Deployment environments:

The current list of supported platforms is:

• CentOS 7
• Ubuntu 18.04
• Debian 10*

* Note that Ice 3.6 is the only version of Ice that we support. On Debian 10, the default is Ice 3.7 requiring extra installation steps. There are no plans to add support for Ice 3.7.

Additionally, we have installation guides for Debian 9 and Ubuntu 16.04. In both cases, Python 3.5 will be installed. Not all functionality has been tested with Python 3.5 but we do not expect major issues. If you choose to install OMERO on these environments, we’d welcome feedback and comments.

For all other platforms, we recommend using conda. An ome channel is available on anaconda.org while we investigate moving to conda-forge.

Getting Started:

Documentation for this release is available under https://docs.openmicroscopy.org/omero/5.6.0/ with the Python 3 Migration page being a good place for developers and system administrators to start.

OMERO.server.zip is available at https//downloads.openmicroscopy.org/omero/5.6.0/. The OMERO.py.zip has been dropped in favor of PyPI.

Clients are available on GitHub. The updated OMERO.insight 5.5.8 is available at https://github.com/ome/omero-insight/releases/tag/v5.5.8, which supports connections to both 5.5 and 5.6 servers.

Official Docker images are available as usual on Docker Hub with either the latest or the 5.6 tag:

• https://hub.docker.com/r/openmicroscopy/omero-web-standalone/
• https://hub.docker.com/r/openmicroscopy/omero-server/

And the PyPI-released components include:

• Server libraries
  • https://pypi.org/project/omero-py/5.6.0/
  • https://pypi.org/project/omero-web/5.6.1/
  • https://pypi.org/project/omero-dropbox/5.6.0/
• Web apps
  • https://pypi.org/project/omero-figure/4.2.0/
  • https://pypi.org/project/omero-fpbioimage/0.4.0/
  • https://pypi.org/project/omero-gallery/3.3.0/
  • https://pypi.org/project/omero-iviewer/0.9.0/
  • https://pypi.org/project/omero-mapr/0.4/
  • https://pypi.org/project/omero-parade/0.2.0/
  • https://pypi.org/project/omero-signup/0.2.0/
• CLI plugins
  • https://pypi.org/project/omero-cli-duplicate/0.3.0/
  • https://pypi.org/project/omero-cli-render/0.5.0/
  • https://pypi.org/project/omero-metadata/0.5.0/
  • https://pypi.org/project/omero-rois/0.3.0/
  • https://pypi.org/project/omero-upload/0.3.0/
• Other base libraries
  • https://pypi.org/project/omero-marshal/0.7.0/
  • https://pypi.org/project/omero-scripts/5.6.0/

---

A huge thanks to several beta testers for all the help in making this release possible!

All the best with your upgrades,
The OME Team

Release of OMERO 5.5.1

Dear all,

Today we are releasing OMERO 5.5.1, a full production-ready release of OMERO.

This bug fix release focuses on installation issues that were seen with 5.5.0 and also upgrades the version of Bio-Formats which OMERO uses to 6.1.1.

This version does not require a database upgrade.

• OMERO.web:
  • Allow the customization of the web logo
  • Allow overriding server configuration
  • Dynamically look up client download links
  • Fix description in new Project, Dataset etc.
  • Fix layout of the user account form
• Java gateway:
  • New methods added to allow change group of objects
  • New methods added to load objects (datasets, etc.) by name
  • New methods added to get original and repository paths of images
  • Minor fixes in createDataset and getPixelSize methods
• Import:
  • Add import target support for creating Projects
• Scripts:
  • Enable annotating Projects and Datasets with the Populate Metadata script
• OMERO.server:
  • Fix SSL cipher issue to allow Insight to be used from Fedora 30
  • Fix issue with loading Hibernate’s DTD when offline
  • Properly close OMERO.tables which kept sessions alive

Note : Due to the stricter closing of OMERO.tables, it may be necessary to update plugins like omero-metadata which previously were leaking files.

The software is available at https://downloads.openmicroscopy.org/omero/5.5.1. Clients are no longer available from that location since they will be released more frequently than the server.

OMERO.insight is now available at https://github.com/ome/omero-insight/releases/tag/v5.5.3 with the following changes:

• Fix SSL cipher issue to allow Insight to be used from Fedora 30
• Fix stack overflow exception
• Bump to omero-gateway-java 5.5.3

Official Docker images are available on Docker Hub:

• https://hub.docker.com/r/openmicroscopy/omero-web-standalone/
• https://hub.docker.com/r/openmicroscopy/omero-server/

The OME team

Release of OMERO 5.4.10

This release addresses a critical login issue for Java clients such as OMERO.insight.
New releases of Java include a change to the java.security file that disables anonymous
cipher suites. This change causes SSLHandshakeException when the client attempts to
authenticate to OMERO.blitz.

The OMERO 5.4.10 release has some clients like OMERO.insight check the security
property jdk.tls.disabledAlgorithms for the value "anon" and remove it if present thus
allowing authentication to proceed.

This release is for clients only and OMERO 5.4.9 servers do not need to be upgraded.

Release of OMERO 5.3.5

Today we are releasing OMERO 5.3.5. This is a security release - see the security advisory for further details.

It is highly recommended that you upgrade your server.

If you have not yet upgraded from 5.2.x because you are using Windows to host your server, there is a guide for migrating to Linux while upgrading to 5.3.x in the 5.3 documentation.

Release of OMERO 5.2.8

Today we are releasing OMERO 5.2.8. This is a security release to prevent users from deleting or editing official scripts and from accessing other people’s data by adjusting the file path of their OriginalFiles so it points to other people’s data in the repository.

Full details of the issues are available on:

• 2017-SV1 Filename Mutability
• 2017-SV2 Edit in RW Group
• 2017-SV3 Delete Script

This release does not upgrade the version of Bio-Formats which OMERO uses.

Upgrade information is on the server upgrade page.

We highly recommend that all sysadmins upgrade their installations asap.