[Koha] Koha security release -- July 2013

Vinod Kumar Mishra vinod_librarian at rediffmail.com
Tue Jul 30 16:51:40 NZST 2013


Dear All,

I have just upgraded 3.10.7 to 3.10.9 upbuntu package installation with upgrade command. 

Under about Koha-Perl modules, Several optional perl module is missing along with String::Random (Required module) and Archive::Extract (module upgrade needed).

Please let me know what to do or is it effect the proper working of koha anyway? 

On Tue, 30 Jul 2013 04:18:36 +0530  wrote
>[Apologies for multi-posting]



The Koha community is releasing a security update for all supported and

recent unsupported versions of Koha. The security update is available for

the following new releases:



3.12.3

3.10.9

3.8.16

3.6.12



Patches are also available for 3.2.x and 3.4.x.



The security update fixes a situation where manipulation of the cookie used

for retaining OPAC search history for anonymous sessions could

theoretically result in the execution of arbitrary code on a Koha webserver.



We are aware of no active exploits at this time. The security issue can be

mitigated by turning off the EnableOpacSearchHistory system preference



We recommend that all Koha users upgrade as soon as possible. If you cannot

upgrade immediately, we strongly encourage you to turn off the

EnableOpacSearchHistory system preference until such time as you can

upgrade.



Users of the Debian packages for 3.10.x and 3.12.x can get the latest

release by running apt-get update followed by apt-get upgrade. Because a

new dependency was added recently, it may be necessary to run apt-get

dist-upgrade instead or to run apt-get install koha-common.



For users of the Debian packages for 3.8.x and 3.6.x, since the Koha APT

repository no longer contains those versions, .deb files are available for

download and installation using dpkg -i:



.deb for 3.8.16:

http://download.koha-community.org/koha-common_3.08.16.1-1_all.deb

.deb for 3.6.12:

http://download.koha-community.org/koha-common_3.06.12.1-1_all.deb



Tarballs are also available:



3.12.3: http://download.koha-community.org/koha-3.12.03.tar.gz

3.10.9: http://download.koha-community.org/koha-3.10.09.tar.gz

3.8.16: http://download.koha-community.org/koha-3.08.16.tar.gz

3.6.12: http://download.koha-community.org/old_releases/koha-3.06.12.tar.gz



The patches for 3.4.x and 3.2.x can be found as the top three commits in

the 3.4.x and 3.2.x branches in Koha’s Git repository.



As a general note, if you are not running a version of Koha that has has a

release maintainer (current 3.8.x, 3.10.x, and 3.12.x), we strongly urge

you to upgrade to a supported version.



Regards,



Galen

-- 

Galen Charlton

Manager of Implementation

Equinox Software, Inc. / The Open Source Experts

email: gmc at esilibrary.com

direct: +1 770-709-5581

cell:  +1 404-984-4366

skype: gmcharlt

web:  http://www.esilibrary.com/

Supporting Koha and Evergreen: http://koha-community.org &

http://evergreen-ils.org

_______________________________________________

Koha mailing list http://koha-community.org

Koha at lists.katipo.co.nz

http://lists.katipo.co.nz/mailman/listinfo/koha



With regards,
Vinod Kumar Mishra,
Assistant Librarian,
Biju Patnaik Central Library,
NIT Rourkela,
Mob:91+9439420860
    91+6612462103 (O)
email: vinod_librarian at rediffmail.com
     : mishravk79 at gmail.com


More information about the Koha mailing list