Safety vulnerability ID: 52402
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Nemo 4.3.0 updates its dependency 'django' to v3.2.16 to include security fixes.
Latest version: 6.0.3
NEMO is a laboratory logistics web application. Use it to schedule reservations, control tool access, track maintenance issues, and more.
Update notes
1. New `User Office` and `Accounting Officer` roles have been added. They allow a greater level of granularity in NEMO. Consequently, `Staff` users won't be able to edit user information or see the billing information for other users by default. To give a user any of the new roles, go to `Detailed Administration -> Users` select the user and **check** the `User office` or `Accounting officer` checkbox and **uncheck** the `Staff` box. More information can be found in the feature manual.
1. A cron job for access expiration email reminders needs to be enabled for the feature to work. A systemd version for docker is available in the [systemd folder](https://github.com/usnistgov/NEMO/tree/master/resources/systemd).
2. A cron job for managing tool qualifications needs to be enabled for the feature to work. A systemd version for docker is available in the [systemd folder](https://github.com/usnistgov/NEMO/tree/master/resources/systemd).
3. A cron job for managing recurring charges needs to be enabled for the feature to work. A systemd version for docker is available in the [systemd folder](https://github.com/usnistgov/NEMO/tree/master/resources/systemd).
New features
* Added recurring consumable charges, which allows charging users for the same consumable at a given frequency. For example, charging user for renting user bins every year.
* Recurring charges can be exported (including potential errors)
* The quantity can be forced to a certain number in customization (for example when it should only and always be just one)
* The recurring charges can be locked so non facility managers can only assign them to user and not change the frequency or linked consumable.
* A consumable category can be set in customization to limit recurring charges to only consumables belonging to that category.
* Validating customers (inactive, access expired, etc.) can be deactivated for recurring charges in customizations.
* Users can set email reminders for their recurring charges in User preferences.
* Added Tool qualification expiration to remove tool qualification from users after a certain number of days. It needs to be enabled in Customization -> User. An example of the email template can be found [here](https://github.com/usnistgov/NEMO/blob/master/resources/emails/tool_qualification_expiration_email.html). There are 2 separate cases that can be customized:
1. Number of days since the user last used a tool. For example, remove tools from the user qualifications if they have not used it for 6 months.
2. Number of days without using a tool since the user was trained on that tool. For example, remove tools from the user qualifications if they haven't used it in the 2 weeks after being trained on it.
* Added Access expiration reminder email to remind users a certain number of days before their access expires. It needs to be enabled in Customization -> User. An example of the email template can be found [here](https://github.com/usnistgov/NEMO/blob/master/resources/emails/user_access_expiration_reminder_email.html).
* Added an optional `EMAIL_USE_DEFAULT_AND_REPLY_TO` option in `settings.py` to use the default server email for all communication and setting the reply-to of the email to the actual sender. This option is helpful when using an email server that doesn't allow spoofing (for example a unique Gmail address).
* Added an optional `USERNAME_REGEX` option in `settings.py` to validate usernames.
* Added an optional `MAIN_URL` option in `settings.py`. This is useful when running multiple instances of NEMO, so all email links are sent to the same URL.
* Added audit log library that can be customized to track any changes in NEMO. See [setup instructions on the wiki](https://github.com/usnistgov/NEMO/wiki/Audit-log-and-tracking-changes).
* Added a few contributions from `Cornell NanoScale Facility`:
* Added `Discipline`, a new configurable category that can be set on projects and users (Chemistry, Electronics etc.).
* Added `Safety trainings`, a new configurable list of trainings that can be checked/unchecked for each user.
* Added `Onboarding phases`, a new configurable list of items that can be checked/unchecked for each user.
* Added user and project document upload, which can be enabled in `Customization -> Application` and `Customization -> Projects & accounts`.
Improvements
* Added `unit_id` for interlocks using Modbus and added last reply time.
* Added tooltips with tool information in the status dashboard page.
* All email templates can now use global variables like `site_title`, `facility_name` etc.
* Updated autocomplete to be either synchronous or asynchronous, the ladder considerably speeding load time of pages like "Users".
* The user search bar is now available when viewing/modifying users to facilitate switching between them.
* Consumables can now be `reusable` which will prevent the quantity from ever decreasing when withdrawals are made.
* Added customization in `Customization -> User` to hide inactive user in the users page and made the modify user page go back to previous pagination page upon success. Thanks `USC Nanofab` for the contributions!
* Added customization in `Customization -> Project & accounts` to hide inactive accounts, inactive projects, and to collapse the project list by default. Thanks `Polytechnique Montréal - LMF` for the contributions!
* Added a way to change the calendar time format in `Customization -> Calendar`.
* Updated buttons in the entire application to have a consistent color and icon for same functionality.
* Optimized Safety Data Sheets page and added sorting by Hazard.
* Users now have the option to opt out from some of the email notifications in User preferences.
* Added Safety Data Sheets CSV export.
* Made pagination number of results per page sticky when navigating away and back. Also added an "all" option.
* Broadcast email feature now allows selecting multiple tools/areas/projects/accounts.
Bug fixes
* Fixed delayed docker container removal when stopping NEMO. Thanks r-xyz for the contribution!
Librairies
* added django-audit-log 2.2.1
* added pytz 2022.6
* cryptography 37.0.4 -> 38.0.4
* django 3.2.15 -> 3.2.16 (vulnerability)
* django-auditlog 2.2.0 -> 2.2.1
* django-mptt 0.13.4 -> 0.14.0
* djangorestframework 3.13.1 -> 3.14.0
* drf-excel 2.1.0 -> 2.2.0
* Pillow 9.2.0 -> 9.3.0
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application