Hi there, we identified a very severe issue recently which allows unprivileged access to any Metabase instance. This issue affects any Metabase server v43.x+
We'll release the details once we can ensure that most of our users are patched, but we'll need everyone to patch (upgrade to the latest possible minor version in their current major version) their Metabase instances as soon as possible. E.g: if you're running v46, upgrade to v46.6.1, if you're running v45, upgrade to v45.4.1
Please consider this is a very severe issue, you really need to upgrade if you're running an unpatched version
Hi @Luiggi , I don't find any security fixes in the difference between v0.46.6 and v0.46.6.1, which specific commit actually contains the security fix?
if you're running a fork please send us a message to help at metabase dot com. We're not commiting the code till we're sure that some decent amont of time has passed to make sure most users can patch their instances
Thus I am unable to upgrade our AWS EBS instance to the latest 0.45.x (not ready to upgrade to 0.46 yet until we test it since the last attempt caused serious issues)
please use the following guide for upgrading Beanstalk, as we haven't done a "normal" release this time so you'll need to build a beanstalk artifact on your own (it's just changing a line)
Didn't find any related changes on v0.46.1, it's the same as v0.46.0
I got a security patch with some file changes from the reply on my submitted ticket earlier today. There're some changes that I can patch to the codebase. But with these changes, now I cannot log in to my account. Get such error:
ERROR: column core_user.google_auth does not exist Position: 204
46.0 and 46.1 don't include the patch, in fact both are old versions. I would suggest you upgrade to the latest version of 46 and then apply the patch.
Also, teh issue you're seeing is because you downgraded to v45 which is not supported. Your DB is now in version 46 while you're running v45 code
Actually, I mean for v0.46.6.0 and v0.46.6.1, which is the version released earlier today.
I didn't see the file patchces to be included in v0.46.6.1 version source code.
Considering its Friday, lets make sure to wait at least a little while into the next work week before releasing patch notes. Even if most people have upgraded, there's a good chance some orgs cant accommodate an upgrade right before the weekend. Lets not make sitting ducks out of them
we won't release any notes about the issue till a good time has passed, don't worry, please focus on upgrading and if possible help people on the forum who're struggling with it. There are > 50K instances of Metabase around the world that need to be patched
@Luiggi What would be the best way to automatically inform ourselves, as open source users, with future security issues? We now figured out by seeing the blog.
@Luiggi is there any news for the upcomming new version?
I have like 20+ Metabase instances to update, who are all on local networks, so not reachable from outside, and i'm not looking forward to update them all now when you would release v0.47 next week
