Dear THREDDS users,
An XSS vulnerability has been brought to our attention and fixed. This
vulnerability only affects the DAP4 service for versions <= 5.5. We
strongly recommend that you either:
*1. Disable DAP4 services*
*2. or upgrade to the latest 5.6-SNAPSHOT version. *This can be downloaded
here <https://downloads.unidata.ucar.edu/tds/>. Please note that this
newest snapshot now requires JDK 17
<https://docs.unidata.ucar.edu/tds/5.6/userguide/install_java_tomcat.html>.
Additional JVM arguments are needed, which are in the CHRONICLE_CACHE
variable here
<https://docs.unidata.ucar.edu/tds/5.6/userguide/running_tomcat.html#setting-java_home-java_opts-catalina_home-catalina_base-and-content_root>
.
Please let us know if you have any questions or concerns.
Best,
The THREDDS team
--
Tara Drwenski (she/her)
Software Engineer | THREDDS Developer
NSF Unidata | UCAR/UCP