Released: March 08, 2023
Status: End of life
This version includes fixes and backports from series 4.3, 4.4, and
The Python Transifex client was remove and replace with the new Go based
client. This client is OS dependent and needs to be installed manually
when working with translations (https://github.com/transifex/cli).
Pin Jinja2 version to workaround Sphinx bug. Sphinx Jinja2 dependency is
not pinned or immutable, and causes the installation of an incompatible
version breaking builds.
Improved the Python 3.10 compatibility. Add a compatibility module to
encapsulate import of the
Iterable class. Python 3.10 is not
supported. This change was merged to allow automated rendering of
platform files like GitLab CI and Docker build file.
The validation errors in the document metadata API were incorrectly
causing HTTP 500 server errors. A custom REST API exception handler was
added to workaround inconsistent validation exception behavior in the
Django REST framework and ensure validation error raise a HTTP 400 error
Sanitize tag labels to avoid XSS abuse (CVE-2022-47419: Mayan EDMS Tag
XSS). This is a limited scope weakness of the tagging system markup that
can be used to display an arbitrary text when selecting a tag for
attachment to or removal from a document.
It is not possible to circumvent Mayan EDMS access control system or
expose arbitrary information with this weakness.
Attempting to exploit this weakness requires a privileged account and is
not possible to enable from a guest or an anonymous account. Visitors to
a Mayan EDMS installation cannot exploit this weakness.
It is also being incorrectly reported that this weakness can be used to
steal the session cookie and impersonate users. Since version 1.4 (March
23, 2012) Django has included the
httponly attribute for the session
cookie. This means that the session cookie data, including
Mayan EDMS currently uses Django 3.2. Under this version of Django The
SESSION_COOKIE_HTTPONLY defaults to
True, which enables the
and therefore not available for impersonation via session hijacking.
SESSION_COOKIE_HTTPONLY setting is not currently exposed by
Mayan EDMS’ setting system, therefore it is not possible to disable
this protection by conventional means.
Any usage of this weakness remains logged in the event system making it
easy to track down any bad actors.
Due to all these factors, the surface of attack of this weakness is very
limited, if any.
There are no known actual or theoretical attacks exploiting this
weakness to expose or destroy data.
psycopg2 versions for testing. Upgrade testing now uses
PYTHON_PSYCOPG2_VERSION_PREVIOUS to install the previous version of
- Install OS and Python dependencies as separate makefile targets.
- Support a local environment config file names
This file is ignored by Git and meant to override values of
config.env. against PostgreSQL.
SearchModel.flatten_listto the common app
- Move the helper module
version.pyto the dependencies app.
- GitOps improvements and backports:
- Add configurable remote branch for GitOps.
- Add makefile targets to trigger standalone builds.
- Reuse Python build in stages.
- Convert branches into literals.
- Remove duplicated code in jobs.
- Split GitLab CI targets into their own makefile.
- Increase artifact expiration.
- Add PIP and APT caching to documentation and python build
- Add GitLab CI job dependencies.
- Enable Buildkit builds.
- Use APT proxy and cache in more places.
- Cache Alpine APK packages.
- Clean up cache directory definitions.
- Update APT cache to be at
- Add multi cache support.
- Add GitLab CI cache template tags.
- Update deployment stages.
- Transifex Python client
Backward incompatible changes