[Koha] Security releases for all stable branches - UPGRADE!
Andy Boze
Boze.1 at nd.edu
Thu Sep 9 01:57:21 NZST 2021
Hi, all.
We applied the patch on our test server running v20.11. In testing, I've
run into a problem. After I log in to the OPAC and click on "Your
account", when I click on the "your personal details" tab, I get a page
that states in part
Sorry, the requested page is not available
Error 500
This message can have the following reason(s):
An error occurred while processing your request.
On our production server, following the same steps, I get a page with my
account details.
Is anyone else who has applied the patch seeing the same error?
Andy
On 9/6/2021 8:00 AM, Jonathan Druart wrote:
> Hello everybody,
>
> Don't ignore this email!
>
> Last week a critical security bug was reported on our bug tracker. We
> fixed it and built debian packages for the four stable releases we
> currently support.
>
> The security flaw can cause a privilege escalation from OPAC users. It
> can be highly damaging, especially if your staff interface is
> accessible via login from everywhere without further security measures
> like IP restrictions in place.
>
>
> How to fix the problem?
> If you are using a debian-based system you should upgrade using the
> debian packages:
> % apt update
> % apt install koha-common
>
> If you are using an older version of Koha (<19.11) you should either
> upgrade to a newer version, or apply those two patches (they should
> apply on older versions as well):
> https://paste.debian.net/hidden/885fb5ec/
> https://paste.debian.net/hidden/1184f523/
> https://paste.debian.net/plainh/ae9f9f25
>
> You can apply them using the following command:
> % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch
> % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch
> % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch
> % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ <
> /kohadevbox/koha/28929_1.patch
> % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch
> % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch
>
> The two bugs are 28929 and 28947. As they contain information about
> how to recreate the vulnerability they will stay hidden two more days to let
> you upgrade your systems.
>
> Let us know if you have any questions!
>
> Regards,
> Jonathan
> _______________________________________________
>
> Koha mailing list http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>
--
Andy Boze, Associate Librarian
University of Notre Dame
271H Hesburgh Library
(574) 631-8708
More information about the Koha
mailing list