Hello everybody, Don't ignore this email! Last week a critical security bug was reported on our bug tracker. We fixed it and built debian packages for the four stable releases we currently support. The security flaw can cause a privilege escalation from OPAC users. It can be highly damaging, especially if your staff interface is accessible via login from everywhere without further security measures like IP restrictions in place. How to fix the problem? If you are using a debian-based system you should upgrade using the debian packages: % apt update % apt install koha-common If you are using an older version of Koha (<19.11) you should either upgrade to a newer version, or apply those two patches (they should apply on older versions as well): https://paste.debian.net/hidden/885fb5ec/ https://paste.debian.net/hidden/1184f523/ https://paste.debian.net/plainh/ae9f9f25 You can apply them using the following command: % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < /kohadevbox/koha/28929_1.patch % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch The two bugs are 28929 and 28947. As they contain information about how to recreate the vulnerability they will stay hidden two more days to let you upgrade your systems. Let us know if you have any questions! Regards, Jonathan
hi folks i think there might be a small typo in the patch commands - but this worked OK for me... cd /tmp wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch sudo patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < 28929_1.patch sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ < 28929_2.patch sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ < 28947.patch output looks like... ------------------ mason@xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < 28929_1.patch patching file members/memberentry.pl Hunk #1 succeeded at 225 (offset 10 lines). mason@xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ < 28929_2.patch patching file opac/opac-memberentry.pl Hunk #1 succeeded at 523 (offset 1 line). mason@xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ < 28947.patch patching file opac/opac-memberentry.pl patch unexpectedly ends in middle of line ------------------ it seems you can ignore the 'patch unexpectedly ends' message On 7/09/21 12:00 am, Jonathan Druart wrote:
Hello everybody,
Don't ignore this email!
Last week a critical security bug was reported on our bug tracker. We fixed it and built debian packages for the four stable releases we currently support.
The security flaw can cause a privilege escalation from OPAC users. It can be highly damaging, especially if your staff interface is accessible via login from everywhere without further security measures like IP restrictions in place.
How to fix the problem? If you are using a debian-based system you should upgrade using the debian packages: % apt update % apt install koha-common
If you are using an older version of Koha (<19.11) you should either upgrade to a newer version, or apply those two patches (they should apply on older versions as well): https://paste.debian.net/hidden/885fb5ec/ https://paste.debian.net/hidden/1184f523/ https://paste.debian.net/plainh/ae9f9f25
You can apply them using the following command: % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < /kohadevbox/koha/28929_1.patch % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch
The two bugs are 28929 and 28947. As they contain information about how to recreate the vulnerability they will stay hidden two more days to let you upgrade your systems.
Let us know if you have any questions!
Regards, Jonathan _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
Hi, all. We applied the patch on our test server running v20.11. In testing, I've run into a problem. After I log in to the OPAC and click on "Your account", when I click on the "your personal details" tab, I get a page that states in part Sorry, the requested page is not available Error 500 This message can have the following reason(s): An error occurred while processing your request. On our production server, following the same steps, I get a page with my account details. Is anyone else who has applied the patch seeing the same error? Andy On 9/6/2021 8:00 AM, Jonathan Druart wrote:
Hello everybody,
Don't ignore this email!
Last week a critical security bug was reported on our bug tracker. We fixed it and built debian packages for the four stable releases we currently support.
The security flaw can cause a privilege escalation from OPAC users. It can be highly damaging, especially if your staff interface is accessible via login from everywhere without further security measures like IP restrictions in place.
How to fix the problem? If you are using a debian-based system you should upgrade using the debian packages: % apt update % apt install koha-common
If you are using an older version of Koha (<19.11) you should either upgrade to a newer version, or apply those two patches (they should apply on older versions as well): https://paste.debian.net/hidden/885fb5ec/ https://paste.debian.net/hidden/1184f523/ https://paste.debian.net/plainh/ae9f9f25
You can apply them using the following command: % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < /kohadevbox/koha/28929_1.patch % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch
The two bugs are 28929 and 28947. As they contain information about how to recreate the vulnerability they will stay hidden two more days to let you upgrade your systems.
Let us know if you have any questions!
Regards, Jonathan _______________________________________________
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
-- Andy Boze, Associate Librarian University of Notre Dame 271H Hesburgh Library (574) 631-8708
hi Andy i'm not sure why you are getting the error on your testing koha, it works ok for me - are your testing and prod systems running the same koha version - are they both running the latest 20.11.x koha version (20.11.09)? - do you get the error if you revert the patches? - do you have additional code modifications to your testing system? the 500 error is often caused by a perl syntax error, so perhaps the patching has caused a syntax error in your koha check your error logs for more info about the error... tail -f /var/log/koha/mykoha/*err*.log /var/log/apache/*err*.log On 9/09/21 1:57 am, Andy Boze wrote:
Hi, all.
We applied the patch on our test server running v20.11. In testing, I've run into a problem. After I log in to the OPAC and click on "Your account", when I click on the "your personal details" tab, I get a page that states in part
Sorry, the requested page is not available Error 500 This message can have the following reason(s):
An error occurred while processing your request.
On our production server, following the same steps, I get a page with my account details.
Is anyone else who has applied the patch seeing the same error?
Andy
On 9/6/2021 8:00 AM, Jonathan Druart wrote:
Hello everybody,
Don't ignore this email!
Last week a critical security bug was reported on our bug tracker. We fixed it and built debian packages for the four stable releases we currently support.
The security flaw can cause a privilege escalation from OPAC users. It can be highly damaging, especially if your staff interface is accessible via login from everywhere without further security measures like IP restrictions in place.
How to fix the problem? If you are using a debian-based system you should upgrade using the debian packages: % apt update % apt install koha-common
If you are using an older version of Koha (<19.11) you should either upgrade to a newer version, or apply those two patches (they should apply on older versions as well): https://paste.debian.net/hidden/885fb5ec/ https://paste.debian.net/hidden/1184f523/ https://paste.debian.net/plainh/ae9f9f25
You can apply them using the following command: % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < /kohadevbox/koha/28929_1.patch % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch
The two bugs are 28929 and 28947. As they contain information about how to recreate the vulnerability they will stay hidden two more days to let you upgrade your systems.
Let us know if you have any questions!
Regards, Jonathan _______________________________________________
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
Hi, Mason. Thanks for your e-mail. We're running v 20.11.04 on both test and prod servers. They are essentially identical and the only changes we've made to any files is to alter a text string in a couple of .inc and .tt files and one javascript file. We haven't tried reverting the patches, but that's the next thing we'll do. Andy On 9/8/2021 11:04 PM, Mason James wrote:
hi Andy i'm not sure why you are getting the error on your testing koha, it works ok for me
- are your testing and prod systems running the same koha version - are they both running the latest 20.11.x koha version (20.11.09)? - do you get the error if you revert the patches? - do you have additional code modifications to your testing system?
the 500 error is often caused by a perl syntax error, so perhaps the patching has caused a syntax error in your koha
check your error logs for more info about the error...
tail -f /var/log/koha/mykoha/*err*.log /var/log/apache/*err*.log
On 9/09/21 1:57 am, Andy Boze wrote:
Hi, all.
We applied the patch on our test server running v20.11. In testing, I've run into a problem. After I log in to the OPAC and click on "Your account", when I click on the "your personal details" tab, I get a page that states in part
Sorry, the requested page is not available Error 500 This message can have the following reason(s):
An error occurred while processing your request.
On our production server, following the same steps, I get a page with my account details.
Is anyone else who has applied the patch seeing the same error?
Andy
On 9/6/2021 8:00 AM, Jonathan Druart wrote:
Hello everybody,
Don't ignore this email!
Last week a critical security bug was reported on our bug tracker. We fixed it and built debian packages for the four stable releases we currently support.
The security flaw can cause a privilege escalation from OPAC users. It can be highly damaging, especially if your staff interface is accessible via login from everywhere without further security measures like IP restrictions in place.
How to fix the problem? If you are using a debian-based system you should upgrade using the debian packages: % apt update % apt install koha-common
If you are using an older version of Koha (<19.11) you should either upgrade to a newer version, or apply those two patches (they should apply on older versions as well): https://paste.debian.net/hidden/885fb5ec/ https://paste.debian.net/hidden/1184f523/ https://paste.debian.net/plainh/ae9f9f25
You can apply them using the following command: % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < /kohadevbox/koha/28929_1.patch % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch
The two bugs are 28929 and 28947. As they contain information about how to recreate the vulnerability they will stay hidden two more days to let you upgrade your systems.
Let us know if you have any questions!
Regards, Jonathan _______________________________________________
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
-- Andy Boze, Associate Librarian University of Notre Dame 271H Hesburgh Library (574) 631-8708
participants (3)
-
Andy Boze -
Jonathan Druart -
Mason James