A new request with request id 15967 has been created by koha-devel-request@lists.koha-community.org. Short info on the request is :
Title : Koha-devel Digest, Vol 190, Issue 3
Category :
Description : Send Koha-devel mailing list submissions to
koha-devel@lists.koha-community.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
or, via email, send a message with subject or body 'help' to
koha-devel-request@lists.koha-community.org
You can reach the person managing the list at
koha-devel-owner@lists.koha-community.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Koha-devel digest..."
Today's Topics:
1. Fwd: Critical security bug in Koha! (Paul Poulain)
2. Re: Fwd: Critical security bug in Koha! (Paul Poulain)
3. Immediate logout in Koha 21.05.02 (03?) (Michael Kuhn)
----------------------------------------------------------------------
Message: 1
Date: Thu, 2 Sep 2021 14:18:09 +0200
From: Paul Poulain <paul.poulain@biblibre.com>
To: "koha-devel@lists.koha-community.org"
<koha-devel@lists.koha-community.org>, SUPPORT <support@biblibre.com>
Subject: [Koha-devel] Fwd: Critical security bug in Koha!
Message-ID: <a9660ef7-e0e5-866b-ccb7-561cc97da280@biblibre.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Je vous fais suivre ce mail de joubu, si qqn peut se pencher dessus et
contribuer à le résoudre... (me tenir au courant svp)
A+
-------- Message transféré --------
Sujet : Critical security bug in Koha!
Date : Wed, 1 Sep 2021 11:34:23 +0200
De : Jonathan Druart <jonathan.druart@gmail.com>
Pour : Martin Renvoize <martin.renvoize@ptfs-europe.com>, Paul Poulain
<paul.poulain@biblibre.com>, Nick Clemens <nick@bywatersolutions.com>,
Tomas Cohen Arazi <tomascohen@gmail.com>, David Cook
<dcook@prosentient.com.au>, Philippe Blouin
<philippe.blouin@inlibro.com>, Marcel de Rooy
<M.de.Rooy@rijksmuseum.nl>, Andrii Vashchuk <nugged@gmail.com>, Katrin
Fischer <Katrin.Fischer.83@web.de>, Chris Cormack
<chris@bigballofwax.co.nz>, Galen Charlton <gmcharlt@gmail.com>, Mason
James <mtj@kohaaloha.com>, Owen Leonard <oleonard@myacpl.org>
Hello everybody,
If you get this email I am expecting from you to talk about it to whom
could be concerned.
Yesterday a bug (28929) was reported about a possible privilege escalation.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28929
It is confirmed and is highlighly critical in some cases, and stay
critical in all other cases. It's really bad.
Basically we are missing filtering on patron's data when we create or
edit a patron. Which means a user can edit whichever info they want,
by modifying the DOM of the page.
And, it includes borrowers.flags (that's where it hurts really badly).
It impacts both OPAC and Staff interfaces.
What you should do:
1. Reduce the risks!
* Disable PatronSelfRegistration (!)
* Disable AutoApprovePatronProfileSettings (!) or you can totally
disable OPACPatronDetails
2. Make sure the staff interface is not accessible to the world
3. Remove old librarian accounts
4. Something else you have in mind? If so, please share!
Then you should (or ask your team to) help us. We will need people on
the bug to:
1. Write patches and discuss the best approach to fix the different
issues (there are patches already)
2. Test! and test! We will have to test on five different versions
(master+4 stables)!
3. QA, and *really* review, all the different versions (we really want
to prevent a mess publishing a fix that will introduce regressions).
We will then need to coordinate.
A plan (to discuss) could be:
1. Tell the big actors to be ready for an urgent release (This is the
goal of this email!)
2. Make the patches ready for the different versions (see the above)
3. Have all the packages ready, before we communicate publicly (Mason,
will you be available?)
4. Tell the people we know to upgrade (so, you, and those who are
aware of the problem)
5. Announce publicly
What do you think?
This info should not be public, but please communicate as much as you
can around you (people you trust of course).
No need to over communicate either, as we are not ready yet!
If you don't have access to the bug, just tell me (or Tomas, Katrin,
Martin, Nick, etc.)
Cheers,
Jonathan
--
Paul Poulain, Associé-gérant / co-owner
BibLibre, Services en logiciels libres pour les bibliothèques
BibLibre, Open Source software and services for libraries
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20210902/435de5a3/attachment-0001.htm>
------------------------------
Message: 2
Date: Thu, 2 Sep 2021 14:52:10 +0200
From: Paul Poulain <paul.poulain@biblibre.com>
To: koha-devel@lists.koha-community.org
Subject: Re: [Koha-devel] Fwd: Critical security bug in Koha!
Message-ID: <b2c06bcc-c27f-7b9e-5cde-c3a36bebe659@biblibre.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
yikes... merde...
this emails was intended to be forwarded to BibLibre developers, not to
this list :(((
Le 02/09/2021 à 14:18, Paul Poulain a écrit :
>
> Je vous fais suivre ce mail de joubu, si qqn peut se pencher dessus et
> contribuer à le résoudre... (me tenir au courant svp)
>
> A+
>
>
>
> -------- Message transféré --------
> Sujet : Critical security bug in Koha!
> Date : Wed, 1 Sep 2021 11:34:23 +0200
> De : Jonathan Druart <jonathan.druart@gmail.com>
> Pour : Martin Renvoize <martin.renvoize@ptfs-europe.com>, Paul
> Poulain <paul.poulain@biblibre.com>, Nick Clemens
> <nick@bywatersolutions.com>, Tomas Cohen Arazi <tomascohen@gmail.com>,
> David Cook <dcook@prosentient.com.au>, Philippe Blouin
> <philippe.blouin@inlibro.com>, Marcel de Rooy
> <M.de.Rooy@rijksmuseum.nl>, Andrii Vashchuk <nugged@gmail.com>, Katrin
> Fischer <Katrin.Fischer.83@web.de>, Chris Cormack
> <chris@bigballofwax.co.nz>, Galen Charlton <gmcharlt@gmail.com>, Mason
> James <mtj@kohaaloha.com>, Owen Leonard <oleonard@myacpl.org>
>
>
>
> Hello everybody,
>
> If you get this email I am expecting from you to talk about it to whom
> could be concerned.
>
> Yesterday a bug (28929) was reported about a possible privilege
> escalation.
> https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28929
> It is confirmed and is highlighly critical in some cases, and stay
> critical in all other cases. It's really bad.
> Basically we are missing filtering on patron's data when we create or
> edit a patron. Which means a user can edit whichever info they want,
> by modifying the DOM of the page.
> And, it includes borrowers.flags (that's where it hurts really badly).
>
> It impacts both OPAC and Staff interfaces.
>
> What you should do:
> 1. Reduce the risks!
> * Disable PatronSelfRegistration (!)
> * Disable AutoApprovePatronProfileSettings (!) or you can totally
> disable OPACPatronDetails
> 2. Make sure the staff interface is not accessible to the world
> 3. Remove old librarian accounts
> 4. Something else you have in mind? If so, please share!
>
> Then you should (or ask your team to) help us. We will need people on
> the bug to:
> 1. Write patches and discuss the best approach to fix the different
> issues (there are patches already)
> 2. Test! and test! We will have to test on five different versions
> (master+4 stables)!
> 3. QA, and *really* review, all the different versions (we really want
> to prevent a mess publishing a fix that will introduce regressions).
>
> We will then need to coordinate.
> A plan (to discuss) could be:
> 1. Tell the big actors to be ready for an urgent release (This is the
> goal of this email!)
> 2. Make the patches ready for the different versions (see the above)
> 3. Have all the packages ready, before we communicate publicly (Mason,
> will you be available?)
> 4. Tell the people we know to upgrade (so, you, and those who are
> aware of the problem)
> 5. Announce publicly
>
> What do you think?
>
> This info should not be public, but please communicate as much as you
> can around you (people you trust of course).
> No need to over communicate either, as we are not ready yet!
>
> If you don't have access to the bug, just tell me (or Tomas, Katrin,
> Martin, Nick, etc.)
>
> Cheers,
> Jonathan
> --
> Paul Poulain, Associé-gérant / co-owner
> BibLibre, Services en logiciels libres pour les bibliothèques
> BibLibre, Open Source software and services for libraries
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel@lists.koha-community.org
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : https://www.koha-community.org/
> git : https://git.koha-community.org/
> bugs : https://bugs.koha-community.org/
--
Paul Poulain, Associé-gérant / co-owner
BibLibre, Services en logiciels libres pour les bibliothèques
BibLibre, Open Source software and services for libraries
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20210902/765495e8/attachment-0001.htm>
------------------------------
Message: 3
Date: Thu, 2 Sep 2021 15:22:19 +0200
From: Michael Kuhn <mik@adminkuhn.ch>
To: Koha-devel <koha-devel@lists.koha-community.org>
Subject: [Koha-devel] Immediate logout in Koha 21.05.02 (03?)
Message-ID: <3c65a800-23db-b7c0-320f-b963cea19c1d@adminkuhn.ch>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi
As written on this list on 26 August I tried to install Koha 21.05.03
but after the installation Koha said the installed version was
"21.05.02.003". Jonathan Druart wrote this comes from
commit 8ea80995c590dad86c43df636456640d3aa84bab
Increment version for 21.05.03 release
-$VERSION = "21.05.02.002";
+$VERSION = "21.05.02.003";
Today I updated a Koha 18.11.05 database into this Koha 21.05.02.003
installation. After restarting memcached I executed "sudo
koha-upgrade-schema instancename" - the output looked OK and ended with
the following lines:
Upgrade to 21.05.02.000 done [12:15:20]: Koha 21.05.02 release
Upgrade to 21.05.02.001 done [12:15:20]: Bug 28567 - Set to NULL empty
branches fields
Upgrade to 21.05.02.002 done [12:15:20]: Bug 28813 - Update
delivery_note to failure_code in message_queue
Upgrade to 21.05.02.003 done [12:15:20]: Bug 28872 - Update syspref
values from on and off to 1 and 0
It seems even if I installed Koha 21.05.03 it only upgraded to Koha
21.05.02.
I don't know if there is any connection but whatever, I was able to open
the staff client and to login - but as soon as I click on any link I'm
logged out immediately. I am able to login again and then advance to the
next link but then I'm logged out again etc ad infinitum. It is not
possible to change any system preference (internal server error) or
search for any users.
File "plack-error.log" sometimes tells me, without a timestamp:
new(): failed: query object HASH(0x555f47cfad30) does not support
cookie() and param() methods: Can't call method "cookie" on unblessed
reference at /usr/share/perl5/CGI/Session.pm line 707.
File "plack-intranet-error.log" says:
[2021/09/02 13:33:36] [WARN] Odd number of elements in anonymous hash
at /usr/share/koha/intranet/cgi-bin/catalogue/search.pl line 577.
Can anyone please give me a hint how to solve this problem?
Best wishes: Michael
--
Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg. Fachausweis
Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz
T 0041 (0)61 261 55 61 · E mik@adminkuhn.ch · W www.adminkuhn.ch
------------------------------
Subject: Digest Footer
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/
------------------------------
End of Koha-devel Digest, Vol 190, Issue 3
******************************************
NOTE: You are receiving this mail because, the Requester/Technician wanted you to get notified on this request creation.