[Koha] IMPORTANT: Koha security release

Galen Charlton gmc at esilibrary.com
Fri Feb 7 14:50:19 NZDT 2014


The Koha community is releasing a security update for all supported
and recent unsupported versions of Koha. The security update is
available in the following new releases being made today:

* 3.14.3
* 3.12.10
* 3.10.13
* 3.8.23

The following security bugs are fixed by this update:

* Bug 11660: tools/pdfViewer.pl could be used to read arbitrary files
on the server
* Bug 11661: the staff interface help editor could be used to modify
or create arbitrary files on the server with the privileges of the
Apache user
* Bug 11662: member-picupload.pl could be used to write to arbitrary
files on the server with the privileges of the Apache user
* Bug 11666: the MARC framework import/export function did not require
authentication, and could be used to perform unexpected SQL commands

The fix for bug 11666 removes SQL as a supported format for importing
or exporting MARC frameworks.

We recommend that you upgrade immediately to get the fixes for these
security issues. However, if you are not able to perform the upgrade
right away, you can mitigate against the issues by performing the
following actions:

* deleting the pdfViewer.pl script
* deleting the member-picupload.pl script
* making edithelp.pl not be executable, e.g., by doing

  chmod a-x edithelp.pl

* making import_export_framework.pl not be executable, which will
disable the MARC framework import and export functionality

Our thanks to John Lightsey for finding and reporting the issues.

The 3.14.3 and 3.10.13 releases also contain unrelated bugfixes which
are described in their release notes.

Please note that if you installed from a tarball, you may need to
manually delete pdfViewer.pl and member-picupload.pl, even after you
upgrade.

Users of the Debian packages for 3.12.x and 3.14.x (and master) can
get the latest release by running apt-get update followed by apt-get
upgrade.

Tarballs are also available and can be downloaded from
http://download.koha-community.org.

If you are not running a version of Koha that has has a release
maintainer (currently 3.8.x, 3.10.x, 3.12.x, and 3.14.x), we strongly
urge you to upgrade to a supported version.

Regards,

Galen
-- 
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email:  gmc at esilibrary.com
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
web:    http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org


More information about the Koha mailing list