XNAT 1.7.4 was primarily devoted to addressing critical security issues. We strongly recommend all XNAT Admins upgrade to the latest version of XNAT to maintain their security compliance.
A number of data accessibility issues and other system performance issues were addressed as well.
You can view a full list of publicly-viewable JIRA issues that were addressed in this release here: https://issues.xnat.org/secure/Dashboard.jspa?selectPageId=11900. Please note that we are not yet making security issues publicly viewable.
A number of high-severity security vulnerabilities in XNAT were addressed, including but not limited to:
- Closing off multiple avenues for potential unauthorized or unintended data access
- Preventing user permissions escalation and potential methods of user account spoofing
- Allowing XNAT Admins to eliminate email phishing attempts by restricting IP addresses that can send outbound emails using REST calls. This setting is available under Administer → Site Administration → Site Settings → Security → General Site Security Settings → IPs that can send emails via REST.
Usability of Guest Account and Custom User Groups
Intended functionality was restored to the guest account for public-access XNAT accounts, including data downloading and site navigation.
Additionally, all intended functionality was restored for project owners who are supporting Custom User Groups. Custom User Groups were found to be largely non-functional in XNAT 1.7.x until this release.
XNAT System and Configuration
Core components were upgraded, including Spring, and configurations for LDAP and tasks were improved.
REST API and Data I/O
Several fixes were made to ensure proper REST / XAPI functionality. Additionally, fixes to support DicomEdit 6 anonymization methods were added, as well as other DICOM communication improvements.
Data Sharing and Representation
Several fixes related to XNAT's XFT model were made to improve the queryablity of shared data, and properly represent data types in searches and reports.