CVE-2022-22817

Advisory

Nemo 3.14.0 updates its dependency 'pillow' to v9.0.0 to include security fixes.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Upgrade Notes
* NEMO now requires Python 3.7 since security support for 3.6 ended last month.
* The `LAB_MANAGERS` list in `settings.py` has been replaced by a permission on users called `is_facility_manager`. If you were using the LAB_MANAGERS setting, go to Detailed Administration -> Users and set the facility managers there after updating NEMO. Also please note that you need at least one facility manager to enable the new Access request feature.
* The `qualified` checkbox is now enabled by default when recording training sessions. Make sure to double check before confirming.
* The access request weekend access feature (more on this below) requires a cron job to be set hourly, calling `docker exec -it nemo django-admin send_email_weekend_access_notification` or sending a request to `/email_weekend_access_notification`

New Features
* Added temporary access. This allows admins to give users access for a limited time. For example, giving someone weekend cleanroom access for one weekend. It is available through in Detailed Administration only.
* Added user access requests:
* Grouping Access Requests and Buddy Requests under one common "Requests" menu item.
* Access requests (after-hours requests) need to be enabled by checking the "allow user request" box on a "Physical Access Level" in Detailed administration and by setting at least one Facility manager.
* Added customizations for tab title, description message, minimum number of buddies, maximum number of requests to display, weekend access emails and cutoff day and time (more on this below)
* Once enabled, users can submit access requests by selecting a start and end time, an access level (if multiple are enabled) and a list of buddies. Facility managers (see below) are then notified and can approve/deny the request in NEMO. Upon approval, a corresponding temporary access will be created for all users in the request.
* The request creator and buddies will receive a confirmation email, and buddies/facility managers will have a notification badge in NEMO on the requests tab indicating there is something new.
* Facility managers can approve/deny a request and have the opportunity to update it before approving. This allows them to change the dates, update the description etc. before approving. This is useful if for example the request can only be approved for one day due to lack of staff on the second day, etc.
* A "weekend access" customizable email can be sent to a list of emails set in customization on the cutoff day and time set. If the email template is set, the email will be sent the within an hour of the first approved request that includes weekend time with a `weekend_access` value of `True`. If no access requests that include weekend time are approved by the cutoff day and time, the same email will be sent with a `weekend_access` value of false. The latter will not be sent if the cutoff day and time is not set.
* Added the facility manager role in Detailed administration -> Users to replace the `LAB_MANAGERS` settings. Facility managers receive all tasks related updates and approve/deny access requests.
* Added "Charge note". This is a text area field that can be set and updated after creating a Staff Charge. It will be displayed in "My usage", "Project billing" and "Remote work" pages as well as in the API.
* The project selection name can now be customized in the "Customization" page. It will use the Django templating engine, allowing the use of things like "{{ project.account.name }} - {{ project.name }}" which would display the account name followed by the project name. This is limited to project selection lists (in reservations, logging in an area, kiosk etc.)
* A standalone reservation view was added for linking from outside of NEMO, available at `/event_details/reservation/<reservation_id>/`. Thanks jat255 for the contribution!
* Email templates to be used in customizations were added in the [resources folder](https://github.com/usnistgov/NEMO/tree/master/resources/emails). Feel free to adapt them to your needs.

Improvements
* Date and time formats have been made more consistent across NEMO and follow django's format from settings.py instead of being hardcoded in certain places. Make sure `DATETIME_FORMAT`, `SHORT_DATETIME_FORMAT`, `DATE_FORMAT`, `SHORT_DATE_FORMAT` and `TIME_FORMAT` are set to your liking in `settings.py` otherwise Django's default will be used.
* Added an `EXPORT_DATE_FORMAT` and `EXPORT_TIME_FORMAT` to `settings.py` to allow a custom format to be used in filenames when exporting (in API, My Usage, Tool Usage Data etc.). If not set, they will default to `m_d_Y` and `h_i_s` respectively.
* Supplies/consumables withdrawals are now allowed in group post usage questions.
* Project information can now be shown and exported in "Tool Usage Data History" through a checkbox (unchecked by default).
* The `qualified` checkbox when recording a training session is now checked by default.
* Fixed styling issues in the `Email logs` feature in the detailed administration, and also updated Customization to open the content preview in a separate tab.

Bug fixes
* Fixed a bug dating back to 2018 in custom task status using `primary_tool_owner` instead of `primary_owner`. Thanks rmwhite85 for noticing!
* Fixed a bug when exporting usage where it would use UTC dates in the CSV file.
* Fixed a bug when user having back-to-back reservations would have one of them marked as missed when they were in fact already logged in to the area (from the prior reservation).
* Updated the misleading message when selecting projects for reservation. It will now only mention missed reservation fees if the `missed_reservation_threshold` field is set on the tool/area and the message will mention what the threshold actually is.
* Fixed issue when billable items would not show up in API when crossing over the period. i.e. if a charge started before the end of the month and finished the next month, it would not show up. Changed the logic to show billables by end date only.

Libraries
* Updated Django to 2.2.26
* Updated django-filter to 21.1
* Updated djangorestframework to 3.13.1
* Updated django-mptt to 0.13.4
* Updated cryptography to 36.0.1
* Updated drf-flex-fields to 0.9.7
* Updated drf-renderer-xlsx to 0.4.4
* Updated python-dateutil to 2.8.2
* Updated ldap3 to 2.9.1
* Updated requests to 2.27.1
* Updated Pillow to 9.0.0

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817