Atomio Changelog
All notable changes to Atomio are documented below.
The format is based on Keep a Changelog,
and Atomio adheres to Semantic Versioning.
[2.3.0] - 2026-06-18
Security
- Updated to Spring Boot 4.1.0 and mockserver-netty 7.0.0 to address CVEs in Apache Tomcat (CVE-2026-41293, CVE-2026-43512, CVE-2026-42498, CVE-2026-43513, CVE-2026-41284) and nimbus-jose-jwt (CVE-2025-53864, CVE-2023-52428)
- Updated to Spring Boot 4.0.6 and bcpkix-jdk18on 1.84 to address CVEs in Log4j Core, Apache Tomcat, Spring Framework, and Bouncy Castle
- Fixed overly permissive URL whitelist check in artefact download: matching now uses URI component comparison (scheme, host, port, path prefix) instead of raw string
startsWith - Fixed path traversal vulnerability in artefact storage: dot-only path segments (
.,..) are now neutralised, and resolved paths are verified to stay within the configured artefact store - Fixed SSRF via redirect in feed sync downloads: redirects are now followed manually with whitelist re-validation and user-info checks at each hop; bearer tokens are resolved per-hop against the contacted host
- Fixed JWT
client_idvalidation using substring match (contains); changed to exact equality check
Added
- Added support for package dependencies (edition and derivative) as introduced by SNOMED International
- Also includes PATCH-based API for updating them
- Feed sync: feeds can be configured to periodically mirror a remote Atom feed; sync configuration is set via the existing feed create and patch endpoints
- Sync supports entry filtering by category and FHIR version; optional mirror mode; optional stripping of security tags
- Sync results are persisted per feed with per-entry status; viewable via new sync history and force-sync endpoints on feeds and admin
- Sync remote URL must be whitelisted and a valid cron expression (minimum 10-minute interval) is required; sync auto-disables on failure or schedule expiry
- Added
GET /info,GET /readme, andGET /changelogendpoints to expose server version, settings, and documentation
Fixed
- Feed query fixes: correct null feed name in artefact URLs; fix duplicate entries on category filters; fix date exclude off-by-one; add alias as a queryable key; allow underscores in feed/alias values.
[2.2.5] - 2026-03-05
Security
- Updated to Spring Boot 4.0.3
[2.2.4] - 2025-08-27
Fixed
- Fix MD5Hash not checked when present
- Improve cleanup of temporary files
Security
- Updated dependencies to mitigate CVEs:
- CVE-2025-48924
[2.2.3] - 2025-07-03
Security
- Updated dependencies to mitigate CVEs:
- CVE-2025-48988
- CVE-2025-49146
[2.2.2] - 2025-06-12
Change
- Added a flag to indicate whether permissions should be ignored when cloning a feed or entry.
- Added query-based feeds
Fixed
- An issue preventing configuration validation from validating nested configurations on start up.
- Feed permissions can now also be edited
- Fix get XML response header returning incorrect charset
[2.2.1] - 2025-03-05
Change
- Removed dependency on old 3rd party Atom feed parser (Rome)
- Added the ability to edit a feed or entry
[2.2.0] - 2025-02-11
Change
- Major security enhancements - check feed and entry level permissions in your feeds before deploying this version.
- Added support for feed and entry level read and write permissions as well as supporting API level read and write permissions - see the configuration guide for details.
Security
- Updated to Spring Boot 3.4.2
[2.1.4] - 2024-12-23
Fixed
- Fix issue causing API errors to be obscured
[2.1.3] - 2024-11-27
Change
- Enhanced security checks to issue warnings if SMART configuration is set while security is disabled. Added support for OPTIONS and HEAD requests in anonymous feed reads.
Security
- Updated to Spring Boot 3.4.0
[2.1.2] - 2024-11-25
Change
- Relaxed configuration requirements to allow disabling both audience and clientId validation to support authorisation servers that cannot provide the claims
Security
- Updated to Spring Boot 3.3.5 to address CVE-2024-38821 and CVE-2024-38816
[2.1.1] - 2024-11-21
Change
- Removed restrictions on grant types in OpenID configuration.
[2.1.0] - 2024-07-15
Change
- Added auto-launch of AtomioUI from root.
Fixed
- Fixed a bug that caused aliases to not obey
atomio.security.anonymousFeedRead=falseas they should.
Security
- Updated to Spring Boot 3.3.1 and the base docker image to resolve CVEs
[2.0.4] - 2024-04-18
Change
- Added compression for responses to reduce bandwidth usage and improve performance for responses over 1KB. Compression is enabled by default and can be disabled by setting
server.compression.enabledtofalse.
[2.0.3] - 2024-02-23
Security
- Upgraded to Spring Boot 3.2.3 resolving CVEs
- Upgraded to PostgreSQL JDBC Driver 47.2.2 to resolve critical vulnerability CVE-2024-1597 - note the use prior Atomio versions make of this driver does not expose Atomio to this vulnerability
[2.0.2] - 2024-02-19
Bug Fixes
- Fixed a bug that denied access to aliases unnecessarily introduced in Spring Security upgrade
[2.0.1] - 2024-01-24
Security
- Updated to Spring Boot 3.2.2 which addresses CVE-202422233 Spring Framework server Web DoS Vulnerability
Fixed
- Defect introduced in 2.0.0 adopting Spring Boot 3 which broke Atomio's Swagger UI and OpenAPI documentation
[2.0.0] - 2024-01-19
Change
- For those using H2, H2 has been upgraded and requires a database migration. See Atomio documentation for details of the provided migration Docker image.
Security
- Updated to Spring Boot 3.2.1 which upgrades many dependencies including fixes for outstanding CVEs
[1.6.0] - 2023-02-17
Added
- Support for 'validated' attribute for artefacts as specified at https://ontoserver.csiro.au/docs/6/syndication.html
[1.5.3] - 2023-01-16
Bug Fixes
- Fixed a recursive response requesting a Feed with Aliases from Atomio's JSON API
Security
- Updated to Spring Boot 2.6.14
[1.5.2] - 2022-11-17
Security
- Updated Spring Security Core and the base Docker image to address CVEs
- CVE-2022-43680
- CVE-2022-31692
[1.5.1] - 2022-10-26
Security
- Updated Spring Boot to 2.6.13 and regenerated base image to address CVEs
- CVE-2022-42003
- CVE-2022-42004
- CVE-2022-31197
- CVE-2022-31679
- CVE-2022-25857
- CVE-2022-38749
- CVE-2022-38750
- CVE-2022-38751
- CVE-2022-38752
- CVE-2022-30065
- CVE-2022-2097
- CVE-2022-30065
- CVE-2022-37434
[1.5.0] - 2022-07-13
Added
- Support for PostgreSQL as Atomio's database backend, configured by activating the
postgresSpring profile and setting the appropriate datasource URL. /.well-known/smart-configurationand/.well-known/openid-configurationto support client autodiscovery of authorisation endpoints
Fixed
- CORS support when
atomio.security.enabled=false, previously only supported whenatomio.security.enabled=true
[1.4.11] - 2022-06-16
Security
- Updated Spring Boot to 2.6.8 to address CVEs
- CVE-2022-22978
- CVE-2022-22976
- CVE-2022-22970
- CVE-2022-22971
[1.4.10] - 2022-05-04
Security
- Updated Spring Boot to 2.6.7 and moved to Jib default base image (eclipse-temurin) from gcr.io/distroless/java to address following CVEs
- CVE-2022-22965
- CVE-2020-36518
- CVE-2021-33813
- CVE-2022-0778
- CVE-2018-25032
- CVE-2022-21449
- CVE-2022-0778
- CVE-2022-27404
- CVE-2021-45960
- CVE-2022-22822
- CVE-2021-3999
- CVE-2021-33574
[1.4.9] - 2021-12-21
Security
- Updated log4j2 to 2.17.0 to handle CVE-2021-45046 and CVE-2021-45105
[1.4.8] - 2021-12-12
Fixed
- Issue preventing configuring atomio.security.issuerUri only with no jwks set
[1.4.7] - 2021-12-12
Security
- Updated log4j2 to 2.15.0 to handle CVE-2021-44228
[1.4.6] - 2021-08-26
Fixed
- Issue causing additional (past the first) artefact for an entry to cause errors deleting the entry
- Rights elements not displaying in the Atom XML version of entries in feeds
[1.4.5] - 2021-07-16
Fixed
- Feed and entry clone changing file name extension by replacing . with _
[1.4.4] - 2021-07-09
Changed
- Changed to allow configuration of whether to include a Content-Disposition header or not -
atomio.contentDispositionEnableddefaults totrue - Changed to allow configuration of the Content-Disposition type from hard coded to
inline- can be changed withatomio.contentDispositionTypedefaults to more appropriateattachment
Fixed
- Fixed Content-Type in artefact GET request responses which upgraded Spring Boot was defaulting
- Reinstated
/actuator/infoendpoint in default configuration which was lost in a Spring Boot upgrade
[1.4.3] - 2021-06-24
Changed
- Added ability to configure for CORS.
[1.4.2] - 2021-06-09
Changed
- Updated to new Spring Security which ignores Authorization headers on requests when security is disabled, previously they were rejected.
- Configuration for JWK set URI from Spring specific to atomio.security.jwkSetUri, legacy support for existing configuration maintained
- Configuration support added for auto-configuration from an OAuth 2.0 or OIDC issuer from atomio.security.issuerUri - this will also configure JWK signature validation and issuer validation
[1.4.1] - 2021-06-07
Added
- Added atomio.security.allowedOrigins configuration option to allow for CORS support.
Fixed
- Fixed arbitrary length limitations on entry rights and summary fields to small sizes to support changes in NCTS feed.
[1.4.0] - 2021-01-20
Added
- Anonymous read mode may be enbled by configuration to allow unauthenticated users to list available feeds and feed content,
with security still applied to all other operations.
[1.3.0] - 2020-12-21
Added
- OpenAPI v3 documentation endpoint and Swagger UI.
- Ability to associate "aliases" with feeds which provide a movable label with a stable URL that is a proxy for a feed.
- Defaulting for artefact file name, making filename optional in entry creation requests.
Changed
- Handling of file uploads changed to asynchronous to better deal with long duration uploads.
- Enhanced information supplied with storage validation failure messages.
Fixed
- Defect in storage validation affecting files referred to by more than one entry falsely reporting file length validation failures.
Security
- Added download URL prefix whitelist configuration to prevent exposure of internal content through clone operations.
By default no URL prefixes are whitelisted and Atomio will not download from any URL until prefixes are added to
atomio.client.urlWhitelist as a comma separated list.
[1.2.1] - 2020-11-20
Fixed
- Removed internal Spring requirement for communication only on plain HTTP which was causing redirect responses in certain
reverse proxy configurations in front of Atomio.
[1.2.0] - 2020-11-20
Added
- Support for FHIR Bundle interpretation batch/collection for entries.
Fixed
- Validation of filenames which was permitting spaces.
[1.1.0] - 2020-10-14
Added
- Support for Sentry.io configuration and connection for error monitoring.