XNAT 1.9.0 and Multiple Plugin Updates Released
The XNAT 1.9.0 release is a major step forward in security compliance, consisting of a response to an extensive survey of published CVEs affecting code libraries that XNAT is built on. After performing an extensive analysis of our actual vulnerability to these CVEs, we performed a series of updates following one of these three paths:
Updating the dependency library and the code that uses it
Removing the library entirely for deprecated classes and elements
Migrating dependencies out of XNAT core and into a plugin
The third approach was reserved for the XNAT Pipeline Engine, which has now been fully deprecated as of XNAT 1.9.0. Those institutions that still depend on pipelines for their processing execution can install the newly created Pipeline Engine Plugin.
More details are available in the full XNAT 1.9.0 Release Notes.
Effects on core XNAT Plugins
Because this XNAT update does touch on so many dependency libraries, this had a direct impact on many “core” open source plugins, including the XNAT OHIF Viewer, the Container Service, and DICOM Query Retrieve plugins.
For XNATs with these plugins installed, updates are required as part of the upgrade process. Because of that, we have simultaneously released a series of open source plugin updates, and we have published documentation for plugin developers in the open source community to enable them to triage and update their own plugin dependencies.
Required Plugin Updates for XNAT 1.9.0
XNAT-OHIF Viewer 3.7.0 was recently released and works both in XNAT 1.8.10.x and in XNAT 1.9.0. Version 3.6.3 and earlier are not compatible.
DICOM Query Retrieve 2.1.0 is now available and is compatible with XNAT 1.9.0. Versions 2.0.2 and earlier are not compatible.
Container Service 3.6.0 is now available and is compatible with XNAT 1.9.0. Versions 3.5.0 and earlier are not compatible.
Batch Launch Plugin 0.7.0 is now available and is compatible with XNAT 1.9.0. Version 0.6.0 can be run with the Pipeline Engine Plugin installed, but is not compatible without that additional plugin.
Additional testing was performed on the following open source plugins to ensure compatibility:
XNAT JupyterHub Integration 1.2.0 is compatible with XNAT 1.8.10 and above
OpenID Authentication Plugin 1.3.1 is compatible with XNAT 1.8.9.1 and above
LDAP Authentication Plugin 1.1.0 is compatible with XNAT 1.8.0 and above
Resources for Plugin Developers
For a full list of dependency updates, please see XNAT 1.9 Dependency Updates
For plugin development documentation related to these updates, see Updating Plugins for Changes in XNAT Dependencies
Installing and Using the Pipeline Engine Plugin
The Pipeline Engine Plugin contains all of the elements of the XNAT UI that used to offer built in support for the front end of the pipeline processing workflow. Installing the plugin is now a requirement for usage, along with installing the pipeline engine and individual pipeline artifacts themselves.
Note: Since this plugin does contain documented instances of dependencies with known CVEs, please use with appropriate caution.
Learn more at the Pipeline Engine Plugin documentation page.
Download and Upgrade!
The latest versions of XNAT and its plugins can be found here:
Updating to XNAT 1.9.0 from XNAT 1.8.x is largely the same process as before. However, due to the number of changes affecting plugins, we strongly urge you to follow all recommended safeguards, including backing up your data and performing the update in a test system with thorough QA before deploying to production. You can find our updated documentation on upgrading XNAT here: