Security releases for all stable branches - UPGRADE!
Hello everybody, Don't ignore this email! Last week a critical security bug was reported on our bug tracker. We fixed it and built debian packages for the four stable releases we currently support. The security flaw can cause a privilege escalation from OPAC users. It can be highly damaging, especially if your staff interface is accessible via login from everywhere without further security measures like IP restrictions in place. How to fix the problem? If you are using a debian-based system you should upgrade using the debian packages: % apt update % apt install koha-common If you are using an older version of Koha (<19.11) you should either upgrade to a newer version, or apply those two patches (they should apply on older versions as well): https://paste.debian.net/hidden/885fb5ec/ https://paste.debian.net/hidden/1184f523/ https://paste.debian.net/plainh/ae9f9f25 You can apply them using the following command: % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < /kohadevbox/koha/28929_1.patch % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch The two bugs are 28929 and 28947. As they contain information about how to recreate the vulnerability they will stay hidden two more days to let you upgrade your systems. Let us know if you have any questions! Regards, Jonathan
hi folks i think there might be a small typo in the patch commands - but this worked OK for me... cd /tmp wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch sudo patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < 28929_1.patch sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ < 28929_2.patch sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ < 28947.patch output looks like... ------------------ mason@xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < 28929_1.patch patching file members/memberentry.pl Hunk #1 succeeded at 225 (offset 10 lines). mason@xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ < 28929_2.patch patching file opac/opac-memberentry.pl Hunk #1 succeeded at 523 (offset 1 line). mason@xen1:/tmp$ sudo patch -p1 -d /usr/share/koha/opac/cgi-bin/ < 28947.patch patching file opac/opac-memberentry.pl patch unexpectedly ends in middle of line ------------------ it seems you can ignore the 'patch unexpectedly ends' message On 7/09/21 12:00 am, Jonathan Druart wrote:
Hello everybody,
Don't ignore this email!
Last week a critical security bug was reported on our bug tracker. We fixed it and built debian packages for the four stable releases we currently support.
The security flaw can cause a privilege escalation from OPAC users. It can be highly damaging, especially if your staff interface is accessible via login from everywhere without further security measures like IP restrictions in place.
How to fix the problem? If you are using a debian-based system you should upgrade using the debian packages: % apt update % apt install koha-common
If you are using an older version of Koha (<19.11) you should either upgrade to a newer version, or apply those two patches (they should apply on older versions as well): https://paste.debian.net/hidden/885fb5ec/ https://paste.debian.net/hidden/1184f523/ https://paste.debian.net/plainh/ae9f9f25
You can apply them using the following command: % wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch % wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch % wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch % patch -p1 -d /usr/share/koha/intranet/cgi-bin/ < /kohadevbox/koha/28929_1.patch % patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch % patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch
The two bugs are 28929 and 28947. As they contain information about how to recreate the vulnerability they will stay hidden two more days to let you upgrade your systems.
Let us know if you have any questions!
Regards, Jonathan _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
On 2021-09-06 8:00 a.m., Jonathan Druart wrote:
Don't ignore this email! [snip]> If you are using an older version of Koha (<19.11) you should either upgrade to a newer version, or apply those two patches (they should apply on older versions as well):
Jonathan -- many thanks. As for older versions, for 3.8.24 (I know ;=} but it still works perfectly for a non-lending library, so we still consider it as a "stable" branch): First patch works apparently perfectly, but starts around line 179 Second patch, gdpr_proc_consent does not exist (compliance for us taken care of at system level) Third patch, PatronSelfRegistration does not exist. Best regards all round and please stay safe, Paul
Hi, If anyone needs it we have patches for 17.11 and 16.11 (conflicts are trivial). Look at the 2 top commits in : https://git.biblibre.com/biblibre/kohac/commits/branch/17.11/MT33996 https://git.biblibre.com/biblibre/kohac/commits/branch/16.11/MT33996 Best regards, Le 07/09/2021 à 04:15, Paul A a écrit :
On 2021-09-06 8:00 a.m., Jonathan Druart wrote:
Don't ignore this email! [snip]> If you are using an older version of Koha (<19.11) you should either upgrade to a newer version, or apply those two patches (they should apply on older versions as well):
Jonathan -- many thanks. As for older versions, for 3.8.24 (I know ;=} but it still works perfectly for a non-lending library, so we still consider it as a "stable" branch):
First patch works apparently perfectly, but starts around line 179 Second patch, gdpr_proc_consent does not exist (compliance for us taken care of at system level) Third patch, PatronSelfRegistration does not exist.
Best regards all round and please stay safe, Paul _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
-- Fridolin SOMERS <fridolin.somers@biblibre.com> Software and system maintainer 🦄 BibLibre, France
participants (4)
-
Fridolin SOMERS -
Jonathan Druart -
Mason James -
Paul A