OpenNMS Security Release 1.10, 1.12, 1.13

You are strongly advised to update your OpenNMS installation to its latest point release

The OpenNMS Project have released a security release for both the production (1.12) and development (1.13) branches of OpenNMS, and considering the impact, the deprecated 1.10 branch as well.

This release fixes a bug that could expose arbitrary filesystem data to logged-in users through the Web UI.

For details on the issue, see:

Note that this only exploitable by users who can log into OpenNMS via the webUI. For some of you this is limited and of little concern, but for others, especially those with LDAP integration, the problem could be larger. In any case, upgrading is strongly recommended. If you are already on the latest version of your particular branch, the new version should be an easy install with no configuration file changes.

Also, a reminder: as of OpenNMS 1.12.7 and 1.13.2, the way OpenNMS starts Jetty has changed, so if you have configured OpenNMS to use AJP,or used other esoteric tweaks to the Jetty configuration in, you will need to adapt them to jetty.xml instead. For details, see:

Tarus Balog