[Koha] Security releases for all stable branches - UPGRADE!

Andy Boze Boze.1 at nd.edu
Thu Sep 9 01:57:21 NZST 2021

Hi, all.

We applied the patch on our test server running v20.11. In testing, I've 
run into a problem. After I log in to the OPAC and click on "Your 
account", when I click on the "your personal details" tab, I get a page 
that states in part

Sorry, the requested page is not available
Error 500
This message can have the following reason(s):

     An error occurred while processing your request.

On our production server, following the same steps, I get a page with my 
account details.

Is anyone else who has applied the patch seeing the same error?


On 9/6/2021 8:00 AM, Jonathan Druart wrote:
> Hello everybody,
> Don't ignore this email!
> Last week a critical security bug was reported on our bug tracker. We
> fixed it and built debian packages for the four stable releases we
> currently support.
> The security flaw can cause a privilege escalation from OPAC users. It
> can be highly damaging, especially if your staff interface is
> accessible via login from everywhere without further security measures
> like IP restrictions in place.
> How to fix the problem?
> If you are using a debian-based system you should upgrade using the
> debian packages:
> % apt update
> % apt install koha-common
> If you are using an older version of Koha (<19.11) you should either
> upgrade to a newer version, or apply those two patches (they should
> apply on older versions as well):
> https://paste.debian.net/hidden/885fb5ec/
> https://paste.debian.net/hidden/1184f523/
> https://paste.debian.net/plainh/ae9f9f25
> You can apply them using the following command:
> % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch
> % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch
> % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch
> % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ <
> /kohadevbox/koha/28929_1.patch
> % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch
> % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch
> The two bugs are 28929 and 28947. As they contain information about
> how to recreate the vulnerability they will stay hidden two more days to let
> you upgrade your systems.
> Let us know if you have any questions!
> Regards,
> Jonathan
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha

Andy Boze, Associate Librarian
University of Notre Dame
271H Hesburgh Library
(574) 631-8708

More information about the Koha mailing list