[Koha] Security releases for all stable branches - UPGRADE!

Mason James mtj at kohaaloha.com
Thu Sep 9 15:04:00 NZST 2021

hi Andy
i'm not sure why you are getting the error on your testing koha, it works ok for me

  - are your testing and prod systems running the same koha version
  - are they both running the latest 20.11.x koha version (20.11.09)?
  - do you get the error if you revert the patches?
  - do you have additional code modifications to your testing system?

the 500 error is often caused by a perl syntax error, so perhaps the patching has caused a syntax error in your koha

check your error logs for more info about the error...

  tail -f /var/log/koha/mykoha/*err*.log /var/log/apache/*err*.log

On 9/09/21 1:57 am, Andy Boze wrote:
> Hi, all.
> We applied the patch on our test server running v20.11. In testing, I've run into a problem. After I log in to the OPAC and click on "Your account", when I click on the "your personal details" tab, I get a page that states in part
> Sorry, the requested page is not available
> Error 500
> This message can have the following reason(s):
>     An error occurred while processing your request.
> On our production server, following the same steps, I get a page with my account details.
> Is anyone else who has applied the patch seeing the same error?
> Andy
> On 9/6/2021 8:00 AM, Jonathan Druart wrote:
>> Hello everybody,
>> Don't ignore this email!
>> Last week a critical security bug was reported on our bug tracker. We
>> fixed it and built debian packages for the four stable releases we
>> currently support.
>> The security flaw can cause a privilege escalation from OPAC users. It
>> can be highly damaging, especially if your staff interface is
>> accessible via login from everywhere without further security measures
>> like IP restrictions in place.
>> How to fix the problem?
>> If you are using a debian-based system you should upgrade using the
>> debian packages:
>> % apt update
>> % apt install koha-common
>> If you are using an older version of Koha (<19.11) you should either
>> upgrade to a newer version, or apply those two patches (they should
>> apply on older versions as well):
>> https://paste.debian.net/hidden/885fb5ec/
>> https://paste.debian.net/hidden/1184f523/
>> https://paste.debian.net/plainh/ae9f9f25
>> You can apply them using the following command:
>> % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch
>> % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch
>> % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch
>> % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ <
>> /kohadevbox/koha/28929_1.patch
>> % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch
>> % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch
>> The two bugs are 28929 and 28947. As they contain information about
>> how to recreate the vulnerability they will stay hidden two more days to let
>> you upgrade your systems.
>> Let us know if you have any questions!
>> Regards,
>> Jonathan
>> _______________________________________________
>> Koha mailing list  http://koha-community.org
>> Koha at lists.katipo.co.nz
>> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha

More information about the Koha mailing list