Docker Tag: redash/redash:10.1.0.b50633
Summary
This release includes fixes for three security vulnerabilities (click the links for complete details to see whether your installation is affected):
- Insecure default configuration affects installations where
REDASH_COOKIE_SECRET
is not set explicitly (CVE-2021-41192) - SSRF vulnerability affects installations that enabled URL-loading data sources (CVE-2021-43780)
- Incorrect usage of
state
parameter in OAuth client code affects installations where Google Login is enabled (CVE-2021-43777)
It also incorporates several fixes from master that merged after the V10.0 release.
See CHANGELOG for the full release notes.
Huge thanks to Ian Carroll and another reporter who preferred to remain anonymous for responsibly disclosing these vulnerabilities.
Upgrading
From V10.0:
Follow our standard upgrade process (reproduced below).
- Make sure to backup your data. You only need to backup Redash’s PostgreSQL database (the database Redash stores metadata in, not the ones you might be querying) as the data in Redis is transient.
- Change directory to /opt/redash.
- Update
/opt/redash/docker-compose.yml
Redash image reference toredash/redash:10.1.0.b50633
- Stop Redash services:
docker-compose stop server scheduler scheduled_worker adhoc_worker
(you might need to list additional services if you updated your configuration) - (No migrations are needed when upgrading from 10.0)
- Read the
Impact
segment at this link. If your installation is affected, follow the instructions under thePatches
heading to secure the secret fields in your database. - Start services with docker-compose up -d
From V9:
Follow the same steps as V10 but for step 5:
- Apply migration:
docker-compose run --rm server manage db upgrade
From V8 or earlier
- Follow the complete steps outlined in the V10.0 release but use this Docker Tag in step 3:
redash/redash:10.1.0.b50633
- Read the
Impact
segment at this link. If your installation is affected, follow the instructions under thePatches
heading to secure the secret fields in your database.