Release v10.1.0 · getredash/redash

Docker Tag: redash/redash:10.1.0.b50633

Summary

This release includes fixes for three security vulnerabilities (click the links for complete details to see whether your installation is affected):

Insecure default configuration affects installations where REDASH_COOKIE_SECRET is not set explicitly (CVE-2021-41192)
SSRF vulnerability affects installations that enabled URL-loading data sources (CVE-2021-43780)
Incorrect usage of state parameter in OAuth client code affects installations where Google Login is enabled (CVE-2021-43777)

It also incorporates several fixes from master that merged after the V10.0 release.

See CHANGELOG for the full release notes.

Huge thanks to Ian Carroll and another reporter who preferred to remain anonymous for responsibly disclosing these vulnerabilities.

Follow our standard upgrade process (reproduced below).

Make sure to backup your data. You only need to backup Redash’s PostgreSQL database (the database Redash stores metadata in, not the ones you might be querying) as the data in Redis is transient.
Change directory to /opt/redash.
Update /opt/redash/docker-compose.yml Redash image reference to redash/redash:10.1.0.b50633
Stop Redash services: docker-compose stop server scheduler scheduled_worker adhoc_worker (you might need to list additional services if you updated your configuration)
(No migrations are needed when upgrading from 10.0)
Read the Impact segment at this link. If your installation is affected, follow the instructions under the Patches heading to secure the secret fields in your database.
Start services with docker-compose up -d

Follow the same steps as V10 but for step 5:

Follow the complete steps outlined in the V10.0 release but use this Docker Tag in step 3: redash/redash:10.1.0.b50633
Read the Impact segment at this link. If your installation is affected, follow the instructions under the Patches heading to secure the secret fields in your database.