[Koha] Security releases for all stable branches - UPGRADE!
Andy Boze
Boze.1 at nd.edu
Fri Sep 10 02:15:11 NZST 2021
Hi, Mason.
Thanks for your e-mail. We're running v 20.11.04 on both test and prod
servers. They are essentially identical and the only changes we've made
to any files is to alter a text string in a couple of .inc and .tt files
and one javascript file. We haven't tried reverting the patches, but
that's the next thing we'll do.
Andy
On 9/8/2021 11:04 PM, Mason James wrote:
> hi Andy
> i'm not sure why you are getting the error on your testing koha, it
> works ok for me
>
> - are your testing and prod systems running the same koha version
> - are they both running the latest 20.11.x koha version (20.11.09)?
> - do you get the error if you revert the patches?
> - do you have additional code modifications to your testing system?
>
> the 500 error is often caused by a perl syntax error, so perhaps the
> patching has caused a syntax error in your koha
>
> check your error logs for more info about the error...
>
> tail -f /var/log/koha/mykoha/*err*.log /var/log/apache/*err*.log
>
>
> On 9/09/21 1:57 am, Andy Boze wrote:
>> Hi, all.
>>
>> We applied the patch on our test server running v20.11. In testing,
>> I've run into a problem. After I log in to the OPAC and click on "Your
>> account", when I click on the "your personal details" tab, I get a
>> page that states in part
>>
>> Sorry, the requested page is not available
>> Error 500
>> This message can have the following reason(s):
>>
>> An error occurred while processing your request.
>>
>> On our production server, following the same steps, I get a page with
>> my account details.
>>
>> Is anyone else who has applied the patch seeing the same error?
>>
>> Andy
>>
>> On 9/6/2021 8:00 AM, Jonathan Druart wrote:
>>> Hello everybody,
>>>
>>> Don't ignore this email!
>>>
>>> Last week a critical security bug was reported on our bug tracker. We
>>> fixed it and built debian packages for the four stable releases we
>>> currently support.
>>>
>>> The security flaw can cause a privilege escalation from OPAC users. It
>>> can be highly damaging, especially if your staff interface is
>>> accessible via login from everywhere without further security measures
>>> like IP restrictions in place.
>>>
>>>
>>> How to fix the problem?
>>> If you are using a debian-based system you should upgrade using the
>>> debian packages:
>>> % apt update
>>> % apt install koha-common
>>>
>>> If you are using an older version of Koha (<19.11) you should either
>>> upgrade to a newer version, or apply those two patches (they should
>>> apply on older versions as well):
>>> https://paste.debian.net/hidden/885fb5ec/
>>> https://paste.debian.net/hidden/1184f523/
>>> https://paste.debian.net/plainh/ae9f9f25
>>>
>>> You can apply them using the following command:
>>> % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch
>>> % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch
>>> % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch
>>> % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ <
>>> /kohadevbox/koha/28929_1.patch
>>> % patch -p1 -d /usr/share/koha/opac/cgi-bin/ <
>>> /kohadevbox/koha/28929_2.patch
>>> % patch -d /usr/share/koha/opac/cgi-bin/opac/ <
>>> /kohadevbox/koha/28947.patch
>>>
>>> The two bugs are 28929 and 28947. As they contain information about
>>> how to recreate the vulnerability they will stay hidden two more days
>>> to let
>>> you upgrade your systems.
>>>
>>> Let us know if you have any questions!
>>>
>>> Regards,
>>> Jonathan
>>> _______________________________________________
>>>
>>> Koha mailing list http://koha-community.org
>>> Koha at lists.katipo.co.nz
>>> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>>>
>>
>
>
--
Andy Boze, Associate Librarian
University of Notre Dame
271H Hesburgh Library
(574) 631-8708
More information about the Koha
mailing list