<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body>A new request with request id 15724 has been created by koha-devel-request@lists.koha-community.org. Short info on the request is : <br><br>Title : Koha-devel Digest, Vol 190, Issue 7<br>Category : <br>Description : <div>Send Koha-devel mailing list submissions to<br>    koha-devel@lists.koha-community.org<br><br>To subscribe or unsubscribe via the World Wide Web, visit<br>    https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel<br>or, via email, send a message with subject or body 'help' to<br>    koha-devel-request@lists.koha-community.org<br><br>You can reach the person managing the list at<br>    koha-devel-owner@lists.koha-community.org<br><br>When replying, please edit your Subject line so it is more specific<br>than "Re: Contents of Koha-devel digest..."<br><br><br>Today's Topics:<br><br>   1. Re: Koha-devel Digest, Vol 190, Issue 4 REST API + DataTables<br>      (Mark Hofstetter)<br>   2. Security releases for all stable branches - UPGRADE!<br>      (Jonathan Druart)<br>   3. Re: Security releases for all stable branches - UPGRADE!<br>      (Mason James)<br>   4. REST API + DataTables (dcook@prosentient.com.au)<br><br><br>----------------------------------------------------------------------<br><br>Message: 1<br>Date: Mon, 6 Sep 2021 13:32:00 +0200<br>From: Mark Hofstetter <mark@hofstetter.at><br>To: koha-devel@lists.koha-community.org,<br>    koha-devel-request@lists.koha-community.org<br>Subject: Re: [Koha-devel] Koha-devel Digest, Vol 190, Issue 4 REST API<br>    + DataTables<br>Message-ID: <83d3ea8a-a6e5-9b44-277c-a487a2c8f7b5@hofstetter.at><br>Content-Type: text/plain; charset=utf-8; format=flowed<br><br>Hi,<br><br>I've written some plugins that work with datatables which seems quite <br>straightforward to me<br><br>the plugins are too specific to use widely but I would be happy to share <br>the code anyway!<br><br>regards<br><br>Mark<br><br><br><br><br><br>------------------------------<br><br>Message: 2<br>Date: Mon, 6 Sep 2021 14:00:00 +0200<br>From: Jonathan Druart <jonathan.druart@bugs.koha-community.org><br>To: koha-devel <koha-devel@lists.koha-community.org>, koha<br>    <koha@lists.katipo.co.nz><br>Subject: [Koha-devel] Security releases for all stable branches -<br>    UPGRADE!<br>Message-ID:<br>    <CAJzKNY5_61OwpJ+0RWgJ9vTP=LYR7=V8jZ2UShwVCGYLKeRffg@mail.gmail.com><br>Content-Type: text/plain; charset="UTF-8"<br><br>Hello everybody,<br><br>Don't ignore this email!<br><br>Last week a critical security bug was reported on our bug tracker. We<br>fixed it and built debian packages for the four stable releases we<br>currently support.<br><br>The security flaw can cause a privilege escalation from OPAC users. It<br>can be highly damaging, especially if your staff interface is<br>accessible via login from everywhere without further security measures<br>like IP restrictions in place.<br><br><br>How to fix the problem?<br>If you are using a debian-based system you should upgrade using the<br>debian packages:<br>% apt update<br>% apt install koha-common<br><br>If you are using an older version of Koha (<19.11) you should either<br>upgrade to a newer version, or apply those two patches (they should<br>apply on older versions as well):<br>https://paste.debian.net/hidden/885fb5ec/<br>https://paste.debian.net/hidden/1184f523/<br>https://paste.debian.net/plainh/ae9f9f25<br><br>You can apply them using the following command:<br>% wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch<br>% wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch<br>% wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch<br>% patch -p1 -d /usr/share/koha/intranet/cgi-bin/ <<br>/kohadevbox/koha/28929_1.patch<br>% patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch<br>% patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch<br><br>The two bugs are 28929 and 28947. As they contain information about<br>how to recreate the vulnerability they will stay hidden two more days to let<br>you upgrade your systems.<br><br>Let us know if you have any questions!<br><br>Regards,<br>Jonathan<br><br><br>------------------------------<br><br>Message: 3<br>Date: Tue, 7 Sep 2021 00:57:43 +1200<br>From: Mason James <mtj@kohaaloha.com><br>To: koha-devel <koha-devel@lists.koha-community.org>, koha<br>    <koha@lists.katipo.co.nz><br>Subject: Re: [Koha-devel] Security releases for all stable branches -<br>    UPGRADE!<br>Message-ID: <b9e50e7d-b4b9-c62b-188b-634e8ebb93ef@kohaaloha.com><br>Content-Type: text/plain; charset=utf-8; format=flowed<br><br>hi folks<br>i think there might be a small typo in the patch commands - but this worked OK for me...<br><br>  cd /tmp<br>  wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch<br>  wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch<br>  wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch<br>  sudo patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < 28929_1.patch<br>  sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/     < 28929_2.patch<br>  sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/     < 28947.patch<br><br><br>output looks like...<br>------------------<br>mason@xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < 28929_1.patch<br>patching file members/memberentry.pl<br>Hunk #1 succeeded at 225 (offset 10 lines).<br><br>mason@xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ <  28929_2.patch<br>patching file opac/opac-memberentry.pl<br>Hunk #1 succeeded at 523 (offset 1 line).<br><br>mason@xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ < 28947.patch<br>patching file opac/opac-memberentry.pl<br>patch unexpectedly ends in middle of line<br>------------------<br><br>it seems you can ignore the 'patch unexpectedly ends' message<br><br><br>On 7/09/21 12:00 am, Jonathan Druart wrote:<br>> Hello everybody,<br>><br>> Don't ignore this email!<br>><br>> Last week a critical security bug was reported on our bug tracker. We<br>> fixed it and built debian packages for the four stable releases we<br>> currently support.<br>><br>> The security flaw can cause a privilege escalation from OPAC users. It<br>> can be highly damaging, especially if your staff interface is<br>> accessible via login from everywhere without further security measures<br>> like IP restrictions in place.<br>><br>><br>> How to fix the problem?<br>> If you are using a debian-based system you should upgrade using the<br>> debian packages:<br>> % apt update<br>> % apt install koha-common<br>><br>> If you are using an older version of Koha (<19.11) you should either<br>> upgrade to a newer version, or apply those two patches (they should<br>> apply on older versions as well):<br>> https://paste.debian.net/hidden/885fb5ec/<br>> https://paste.debian.net/hidden/1184f523/<br>> https://paste.debian.net/plainh/ae9f9f25<br>><br>> You can apply them using the following command:<br>> % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch<br>> % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch<br>> % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch<br>> % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ <<br>> /kohadevbox/koha/28929_1.patch<br>> % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch<br>> % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch<br>><br>> The two bugs are 28929 and 28947. As they contain information about<br>> how to recreate the vulnerability they will stay hidden two more days to let<br>> you upgrade your systems.<br>><br>> Let us know if you have any questions!<br>><br>> Regards,<br>> Jonathan<br>> _______________________________________________<br>> Koha-devel mailing list<br>> Koha-devel@lists.koha-community.org<br>> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel<br>> website : https://www.koha-community.org/<br>> git : https://git.koha-community.org/<br>> bugs : https://bugs.koha-community.org/<br><br><br><br>------------------------------<br><br>Message: 4<br>Date: Tue, 7 Sep 2021 10:15:17 +1000<br>From: <dcook@prosentient.com.au><br>To: "'Mark Hofstetter'" <mark@hofstetter.at><br>Cc: <koha-devel@lists.koha-community.org><br>Subject: [Koha-devel] REST API + DataTables<br>Message-ID: <108b01d7a37d$7011c050$503540f0$@prosentient.com.au><br>Content-Type: text/plain;    charset="utf-8"<br><br>Thanks, Mark. That would be great!<br><br>David Cook<br>Senior Software Engineer<br>Prosentient Systems<br>Suite 7.03<br>6a Glen St<br>Milsons Point NSW 2061<br>Australia<br><br>Office: 02 9212 0899<br>Online: 02 8005 0595<br><br>-----Original Message-----<br>From: Koha-devel <koha-devel-bounces@lists.koha-community.org> On Behalf Of Mark Hofstetter<br>Sent: Monday, 6 September 2021 9:32 PM<br>To: koha-devel@lists.koha-community.org; koha-devel-request@lists.koha-community.org<br>Subject: Re: [Koha-devel] Koha-devel Digest, Vol 190, Issue 4 REST API + DataTables<br><br>Hi,<br><br>I've written some plugins that work with datatables which seems quite straightforward to me<br><br>the plugins are too specific to use widely but I would be happy to share the code anyway!<br><br>regards<br><br>Mark<br><br><br><br>_______________________________________________<br>Koha-devel mailing list<br>Koha-devel@lists.koha-community.org<br>https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel<br>website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/<br><br><br><br><br>------------------------------<br><br>Subject: Digest Footer<br><br>_______________________________________________<br>Koha-devel mailing list<br>Koha-devel@lists.koha-community.org<br>https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel<br>website : https://www.koha-community.org/<br>git : https://git.koha-community.org/<br>bugs : https://bugs.koha-community.org/<br><br><br>------------------------------<br><br>End of Koha-devel Digest, Vol 190, Issue 7<br>******************************************<br></div><br><br>NOTE: You are receiving this mail because, the Requester/Technician wanted you to get notified on this request creation.<br></body></html>