Atomio Changelog

All notable changes to Atomio are documented below.

The format is based on Keep a Changelog,

and Atomio adheres to Semantic Versioning.

[2.2.4] - 2025-08-27

Fixed

• Fix MD5Hash not checked when present
• Improve cleanup of temporary files

Security

• Updated dependencies to mitigate CVEs:
• CVE-2025-48924

[2.2.3] - 2025-07-03

Security

• Updated dependencies to mitigate CVEs:
• CVE-2025-48988
• CVE-2025-49146

[2.2.2] - 2025-06-12

Change

• Added a flag to indicate whether permissions should be ignored when cloning a feed or entry.
• Added query-based feeds

Fixed

• An issue preventing configuration validation from validating nested configurations on start up.
• Feed permissions can now also be edited
• Fix get XML response header returning incorrect charset

[2.2.1] - 2025-03-05

Change

• Removed dependency on old 3rd party Atom feed parser (Rome)
• Added the ability to edit a feed or entry

[2.2.0] - 2025-02-11

Change

• Major security enhancements - check feed and entry level permissions in your feeds before deploying this version.
• Added support for feed and entry level read and write permissions as well as supporting API level read and write permissions - see the configuration guide for details.

Security

• Updated to Spring Boot 3.4.2

[2.1.4] - 2024-12-23

Fixed

• Fix issue causing API errors to be obscured

[2.1.3] - 2024-11-27

Change

• Enhanced security checks to issue warnings if SMART configuration is set while security is disabled. Added support for OPTIONS and HEAD requests in anonymous feed reads.

Security

• Updated to Spring Boot 3.4.0

[2.1.2] - 2024-11-25

Change

• Relaxed configuration requirements to allow disabling both audience and clientId validation to support authorisation servers that cannot provide the claims

Security

• Updated to Spring Boot 3.3.5 to address CVE-2024-38821 and CVE-2024-38816

[2.1.1] - 2024-11-21

Change

• Removed restrictions on grant types in OpenID configuration.

[2.1.0] - 2024-07-15

Change

• Added auto-launch of AtomioUI from root.

Fixed

• Fixed a bug that caused aliases to not obey atomio.security.anonymousFeedRead=false as they should.

Security

• Updated to Spring Boot 3.3.1 and the base docker image to resolve CVEs

[2.0.4] - 2024-04-18

Change

• Added compression for responses to reduce bandwidth usage and improve performance for responses over 1KB. Compression is enabled by default and can be disabled by setting server.compression.enabled to false.

[2.0.3] - 2024-02-23

Security

• Upgraded to Spring Boot 3.2.3 resolving CVEs
• Upgraded to PostgreSQL JDBC Driver 47.2.2 to resolve critical vulnerability CVE-2024-1597 - note the use prior Atomio versions make of this driver does not expose Atomio to this vulnerability

[2.0.2] - 2024-02-19

Bug Fixes

• Fixed a bug that denied access to aliases unnecessarily introduced in Spring Security upgrade

[2.0.1] - 2024-01-24

Security

• Updated to Spring Boot 3.2.2 which addresses CVE-202422233 Spring Framework server Web DoS Vulnerability

Fixed

• Defect introduced in 2.0.0 adopting Spring Boot 3 which broke Atomio's Swagger UI and OpenAPI documentation

[2.0.0] - 2024-01-19

Change

• For those using H2, H2 has been upgraded and requires a database migration. See Atomio documentation for details of the provided migration Docker image.

Security

• Updated to Spring Boot 3.2.1 which upgrades many dependencies including fixes for outstanding CVEs

[1.6.0] - 2023-02-17

Added

• Support for 'validated' attribute for artefacts as specified at https://ontoserver.csiro.au/docs/6/syndication.html

[1.5.3] - 2023-01-16

Bug Fixes

• Fixed a recursive response requesting a Feed with Aliases from Atomio's JSON API

Security

• Updated to Spring Boot 2.6.14

[1.5.2] - 2022-11-17

Security

• Updated Spring Security Core and the base Docker image to address CVEs
• CVE-2022-43680
• CVE-2022-31692

[1.5.1] - 2022-10-26

Security

• Updated Spring Boot to 2.6.13 and regenerated base image to address CVEs
• CVE-2022-42003
• CVE-2022-42004
• CVE-2022-31197
• CVE-2022-31679
• CVE-2022-25857
• CVE-2022-38749
• CVE-2022-38750
• CVE-2022-38751
• CVE-2022-38752
• CVE-2022-30065
• CVE-2022-2097
• CVE-2022-30065
• CVE-2022-37434

[1.5.0] - 2022-07-13

Added

• Support for PostgreSQL as Atomio's database backend, configured by activating the postgres Spring profile and setting the appropriate datasource URL.
• /.well-known/smart-configuration and /.well-known/openid-configuration to support client autodiscovery of authorisation endpoints

Fixed

• CORS support when atomio.security.enabled=false, previously only supported when atomio.security.enabled=true

[1.4.11] - 2022-06-16

Security

• Updated Spring Boot to 2.6.8 to address CVEs
• CVE-2022-22978
• CVE-2022-22976
• CVE-2022-22970
• CVE-2022-22971

[1.4.10] - 2022-05-04

Security

• Updated Spring Boot to 2.6.7 and moved to Jib default base image (eclipse-temurin) from gcr.io/distroless/java to address following CVEs
• CVE-2022-22965
• CVE-2020-36518
• CVE-2021-33813
• CVE-2022-0778
• CVE-2018-25032
• CVE-2022-21449
• CVE-2022-0778
• CVE-2022-27404
• CVE-2021-45960
• CVE-2022-22822
• CVE-2021-3999
• CVE-2021-33574

[1.4.9] - 2021-12-21

Security

• Updated log4j2 to 2.17.0 to handle CVE-2021-45046 and CVE-2021-45105

[1.4.8] - 2021-12-12

Fixed

• Issue preventing configuring atomio.security.issuerUri only with no jwks set

[1.4.7] - 2021-12-12

Security

• Updated log4j2 to 2.15.0 to handle CVE-2021-44228

[1.4.6] - 2021-08-26

Fixed

• Issue causing additional (past the first) artefact for an entry to cause errors deleting the entry
• Rights elements not displaying in the Atom XML version of entries in feeds

[1.4.5] - 2021-07-16

Fixed

• Feed and entry clone changing file name extension by replacing . with _

[1.4.4] - 2021-07-09

Changed

• Changed to allow configuration of whether to include a Content-Disposition header or not - atomio.contentDispositionEnabled defaults to true
• Changed to allow configuration of the Content-Disposition type from hard coded to inline - can be changed with atomio.contentDispositionType defaults to more appropriate attachment

Fixed

• Fixed Content-Type in artefact GET request responses which upgraded Spring Boot was defaulting
• Reinstated /actuator/info endpoint in default configuration which was lost in a Spring Boot upgrade

[1.4.3] - 2021-06-24

Changed

• Added ability to configure for CORS.

[1.4.2] - 2021-06-09

Changed

• Updated to new Spring Security which ignores Authorization headers on requests when security is disabled, previously they were rejected.
• Configuration for JWK set URI from Spring specific to atomio.security.jwkSetUri, legacy support for existing configuration maintained
• Configuration support added for auto-configuration from an OAuth 2.0 or OIDC issuer from atomio.security.issuerUri - this will also configure JWK signature validation and issuer validation

[1.4.1] - 2021-06-07

Added

• Added atomio.security.allowedOrigins configuration option to allow for CORS support.

Fixed

• Fixed arbitrary length limitations on entry rights and summary fields to small sizes to support changes in NCTS feed.

[1.4.0] - 2021-01-20

Added

• Anonymous read mode may be enbled by configuration to allow unauthenticated users to list available feeds and feed content,

with security still applied to all other operations.

[1.3.0] - 2020-12-21

Added

• OpenAPI v3 documentation endpoint and Swagger UI.
• Ability to associate "aliases" with feeds which provide a movable label with a stable URL that is a proxy for a feed.
• Defaulting for artefact file name, making filename optional in entry creation requests.

Changed

• Handling of file uploads changed to asynchronous to better deal with long duration uploads.
• Enhanced information supplied with storage validation failure messages.

Fixed

• Defect in storage validation affecting files referred to by more than one entry falsely reporting file length validation failures.

Security

• Added download URL prefix whitelist configuration to prevent exposure of internal content through clone operations.

By default no URL prefixes are whitelisted and Atomio will not download from any URL until prefixes are added to

atomio.client.urlWhitelist as a comma separated list.

[1.2.1] - 2020-11-20

Fixed

• Removed internal Spring requirement for communication only on plain HTTP which was causing redirect responses in certain

reverse proxy configurations in front of Atomio.

[1.2.0] - 2020-11-20

Added

• Support for FHIR Bundle interpretation batch/collection for entries.

Fixed

• Validation of filenames which was permitting spaces.

[1.1.0] - 2020-10-14

Added

• Support for Sentry.io configuration and connection for error monitoring.

[1.0.0] - 2020-10-06