[Koha] [Koha-devel] Security releases for all stable branches - UPGRADE!

Mason James mtj at kohaaloha.com
Tue Sep 7 00:57:43 NZST 2021


hi folks
i think there might be a small typo in the patch commands - but this worked OK for me...

  cd /tmp
  wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch
  wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch
  wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch
  sudo patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < 28929_1.patch
  sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/     < 28929_2.patch
  sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/     < 28947.patch


output looks like...
------------------
mason at xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < 28929_1.patch
patching file members/memberentry.pl
Hunk #1 succeeded at 225 (offset 10 lines).

mason at xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ <  28929_2.patch
patching file opac/opac-memberentry.pl
Hunk #1 succeeded at 523 (offset 1 line).

mason at xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ < 28947.patch
patching file opac/opac-memberentry.pl
patch unexpectedly ends in middle of line
------------------

it seems you can ignore the 'patch unexpectedly ends' message


On 7/09/21 12:00 am, Jonathan Druart wrote:
> Hello everybody,
>
> Don't ignore this email!
>
> Last week a critical security bug was reported on our bug tracker. We
> fixed it and built debian packages for the four stable releases we
> currently support.
>
> The security flaw can cause a privilege escalation from OPAC users. It
> can be highly damaging, especially if your staff interface is
> accessible via login from everywhere without further security measures
> like IP restrictions in place.
>
>
> How to fix the problem?
> If you are using a debian-based system you should upgrade using the
> debian packages:
> % apt update
> % apt install koha-common
>
> If you are using an older version of Koha (<19.11) you should either
> upgrade to a newer version, or apply those two patches (they should
> apply on older versions as well):
> https://paste.debian.net/hidden/885fb5ec/
> https://paste.debian.net/hidden/1184f523/
> https://paste.debian.net/plainh/ae9f9f25
>
> You can apply them using the following command:
> % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch
> % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch
> % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch
> % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ <
> /kohadevbox/koha/28929_1.patch
> % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch
> % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch
>
> The two bugs are 28929 and 28947. As they contain information about
> how to recreate the vulnerability they will stay hidden two more days to let
> you upgrade your systems.
>
> Let us know if you have any questions!
>
> Regards,
> Jonathan
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : https://www.koha-community.org/
> git : https://git.koha-community.org/
> bugs : https://bugs.koha-community.org/



More information about the Koha mailing list