Skip to content

v10.1.0

Latest
Compare
Choose a tag to compare
@susodapop susodapop released this 24 Nov 03:36
2589bef

Docker Tag: redash/redash:10.1.0.b50633

Summary

This release includes fixes for three security vulnerabilities (click the links for complete details to see whether your installation is affected):

  • Insecure default configuration affects installations where REDASH_COOKIE_SECRET is not set explicitly (CVE-2021-41192)
  • SSRF vulnerability affects installations that enabled URL-loading data sources (CVE-2021-43780)
  • Incorrect usage of state parameter in OAuth client code affects installations where Google Login is enabled (CVE-2021-43777)

It also incorporates several fixes from master that merged after the V10.0 release.

See CHANGELOG for the full release notes.

Huge thanks to Ian Carroll and another reporter who preferred to remain anonymous for responsibly disclosing these vulnerabilities.

Upgrading

From V10.0:

Follow our standard upgrade process (reproduced below).

  1. Make sure to backup your data. You only need to backup Redash’s PostgreSQL database (the database Redash stores metadata in, not the ones you might be querying) as the data in Redis is transient.
  2. Change directory to /opt/redash.
  3. Update /opt/redash/docker-compose.yml Redash image reference to redash/redash:10.1.0.b50633
  4. Stop Redash services: docker-compose stop server scheduler scheduled_worker adhoc_worker (you might need to list additional services if you updated your configuration)
  5. (No migrations are needed when upgrading from 10.0)
  6. Read the Impact segment at this link. If your installation is affected, follow the instructions under the Patches heading to secure the secret fields in your database.
  7. Start services with docker-compose up -d

From V9:

Follow the same steps as V10 but for step 5:

  1. Apply migration: docker-compose run --rm server manage db upgrade

From V8 or earlier

  1. Follow the complete steps outlined in the V10.0 release but use this Docker Tag in step 3: redash/redash:10.1.0.b50633
  2. Read the Impact segment at this link. If your installation is affected, follow the instructions under the Patches heading to secure the secret fields in your database.