[Koha] Koha security release -- July 2013

[Galen Charlton]

[Apologies for multi-posting]

The Koha community is releasing a security update for all supported and
recent unsupported versions of Koha. The security update is available for
the following new releases:

3.12.3
3.10.9
3.8.16
3.6.12

Patches are also available for 3.2.x and 3.4.x.

The security update fixes a situation where manipulation of the cookie used
for retaining OPAC search history for anonymous sessions could
theoretically result in the execution of arbitrary code on a Koha webserver.

We are aware of no active exploits at this time. The security issue can be
mitigated by turning off the EnableOpacSearchHistory system preference

We recommend that all Koha users upgrade as soon as possible. If you cannot
upgrade immediately, we strongly encourage you to turn off the
EnableOpacSearchHistory system preference until such time as you can
upgrade.

Users of the Debian packages for 3.10.x and 3.12.x can get the latest
release by running apt-get update followed by apt-get upgrade. Because a
new dependency was added recently, it may be necessary to run apt-get
dist-upgrade instead or to run apt-get install koha-common.

For users of the Debian packages for 3.8.x and 3.6.x, since the Koha APT
repository no longer contains those versions, .deb files are available for
download and installation using dpkg -i:

.deb for 3.8.16:
http://download.koha-community.org/koha-common_3.08.16.1-1_all.deb
.deb for 3.6.12:
http://download.koha-community.org/koha-common_3.06.12.1-1_all.deb

Tarballs are also available:

3.12.3: http://download.koha-community.org/koha-3.12.03.tar.gz
3.10.9: http://download.koha-community.org/koha-3.10.09.tar.gz
3.8.16: http://download.koha-community.org/koha-3.08.16.tar.gz
3.6.12: http://download.koha-community.org/old_releases/koha-3.06.12.tar.gz

The patches for 3.4.x and 3.2.x can be found as the top three commits in
the 3.4.x and 3.2.x branches in Koha’s Git repository.

As a general note, if you are not running a version of Koha that has has a
release maintainer (current 3.8.x, 3.10.x, and 3.12.x), we strongly urge
you to upgrade to a supported version.

Regards,

Galen
-- 
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email:  gmc at esilibrary.com
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
web:    http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org