Safety vulnerability ID: 59619
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Nemo 4.6.0 updates its dependency 'django' to version '3.2.20' to fix a ReDoS vulnerability.
Latest version: 6.0.3
NEMO is a laboratory logistics web application. Use it to schedule reservations, control tool access, track maintenance issues, and more.
Upgrade notes
- If using the consumables/supplies self-checkout feature, a dashboard icon (landing page choice with url `/consumables/` in detailed administration) needs to be added for regular users to have a link to it (one is available in the [icons folder](https://github.com/usnistgov/NEMO/tree/master/resources/icons))
- To enable the new contracts sub-plugin:
- `"NEMO.apps.contracts"` needs to be added to `INSTALLED_APPS` in `settings.py`.
- A timed service job needs to be created for contract reminders to be sent (an example is available in the [systemd folder](https://github.com/usnistgov/NEMO/tree/master/resources/systemd)).
New features
- Added new contracts sub-plugin, where Service contracts, Procurements and Contractor agreements can be tracked:
- Service contracts and contractor agreements have a reminder date and facility managers receive emails when they are due for renewal
- Contractor agreements are linked to either Service contracts or Procurements
- Service contracts and contractor agreements can be renewed (a new item is created with year +1)
- Each list can be exported in CSV format
- Added an option to let user self-checkout consumables and supplies in Customization -> Application (thanks `Cornell NanoScale Facility` for the contribution!)
- In Area access plugin, added an option to automatically log users out when they are trying to login to the same area again, so tablets can be used for both entrance and exit (thanks `UPenn Singh Center` for the contribution!)
- Added tool freed time notifications, allowing users to set a list of tools they want to be notified for, when time is freed up either from a cancellation or moving a reservation. Users can set the tool list in **preferences**, and set the minimum time and days in the future to trigger the notifications (thanks `Princeton Micro/NanoFabrication Center` for the contribution!)
- Added new setting in setting.py called `NEMO_EMAIL_SUBJECT_PREFIX` to add a prefix to all NEMO related emails (thanks `UPenn Singh Center` for the contribution!).
Improvements
- Updated colors and contrasts, added label and better support for screen readers and accessibility in NEMO (thanks to `Cornell NanoScale Facility` detailed report on accessibility).
- Added task resolution time to task update emails
- Added item id in billing api
- Added option to set default badge reader configuration and fixed a bunch of issues when only using send key and not using any recording key (thanks `UPenn Singh Center` for the contribution!)
- Added option to retry sensor data reading before triggering a no data alert
- Added alert logs in sensor categories, limited to the last 30 alerts
- Added flag on tools to prevent qualification from ever expiring (thanks `Polytech Group of Characterization of Materials` for the contribution)
- Optimized status dashboard loading time and made first page load asynchronous.
- Added an option in preferences for facility managers to limit tools they are receiving/viewing adjustment requests for.
- Added an option in preferences for facility managers, technical staff and service personnel to either limit or add tools they want to view maintenance records for and view task notifications for. This is particularly useful with facilities with multiple managers handling separate sets of tools (thanks `UPenn Singh Center` for the contribution!)
- When technical staff have a reservation and are done working on a tool, they will now be offered the option to free up the remaining time on their reservation.
- Added customization setting to allow Technical staff, User office or Accounting staff to see the details of a staff absence (type of leave, notes) in the staff status tab of the status dashboard.
- Updated NEMO references in email templates to automatically use the site title customization (thanks r-xyz for the contribution!).
- Reservation start and end date can now be changed manually in the reservation details page (only by the reservation user or staff). Thanks jat255 for the suggestion.
Bug fixes
- Fixed badge number issue when importing users from API (wrongly rejecting duplicates)
- Fixed bug when trying to validate an ongoing staff charge
- Fixed API file import issues when redirecting (for example when redirecting http -> https)
- Fixed sensor reading not allowing to read at address 0
- Fixed trying to open the door when no interlocks are set
- Fixed unanswered post usage question email when forced off by staff to be sent by user office email (instead of site email). Thanks r-xyz for the contribution!
- Fixed delayed splash_pad container removal (thanks r-xyz for the contribution!).
Libraries
- Django 3.2.19 -> 3.2.20 (vulnerability)
- cryptography 40.0.1 -> 41.0.2
- django-auditlog 2.2.2 -> 2.3.0
- django-filter 23.1 -> 23.2
- drf-excel 2.3.0 -> 2.4.0
- Pillow 9.5.0 -> 10.0.0
- pymodbus 3.2.2 -> 3.3.2
- requests 2.28.2 -> 2.31.0
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application