[koha-commits] main Koha release repository branch 16.11.x updated. v16.11.03
Git repo owner
gitmaster at git.koha-community.org
Mon Jan 30 17:26:21 CET 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 16.11.x has been updated
via bbc37dcf46ee8ad7b8a1c885a09d4179124b0571 (commit)
via dea3bc855d011b47541ed664566940c08ca52ceb (commit)
via 14e2c2e5f70dc24a0621545aac8a1f8c568331d3 (commit)
via 248e96030637585408831d9ff39f562b9f26278d (commit)
via b1165761d8536263cefaa85b1c001a1b76992321 (commit)
via 35a090a5d58244947edd1ea40e9188c0b54e4ac0 (commit)
via 617dfc685e13fb59b48e1e11d795318c1c8a19b7 (commit)
via 37c2e5496f5b444258cb2e462b61ce3960a3720e (commit)
via 0b70b7a243ce6943c10953ec2e5debfbedcef31d (commit)
via c2e5a1d538445d0c8cd190bb90bf8cadb02b4dc6 (commit)
via 4a5bf7244f11502deca27b61150fdafebc57a534 (commit)
via ddf456271c6fcffb87f12dc8e3353474a9d10b74 (commit)
via 18cd96ece1e9b00e02b6851eca06053d10a57217 (commit)
via b91903ba3f34f5cf760cc3c256f231c5de5389f3 (commit)
via b98f3daaa6c69ca22715313b316b77d8fb390006 (commit)
via 5060e0a230173048596be5b4ea9b5890d7bb5585 (commit)
via 539758ba2a7b4f5005e5a659d9d6ba30c201f5ed (commit)
via f03a1bfe0ef671e59fc6cef8cd325a40ad0e91bb (commit)
from e90a3695a96d23e526e2f4d54fd45489fd01eeaa (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit bbc37dcf46ee8ad7b8a1c885a09d4179124b0571
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Mon Jan 30 17:19:05 2017 +0100
Add release notes for the 16.11.03 security release
commit dea3bc855d011b47541ed664566940c08ca52ceb
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Mon Jan 30 16:47:23 2017 +0100
Bug 17902: Follow-up fixing SQL statement
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 40cb8e3b7579987d0d461e8da6e350228722727c)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 14e2c2e5f70dc24a0621545aac8a1f8c568331d3
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Jan 10 18:06:51 2017 +0100
Bug 17902: Fix possible SQL injection in serials editing
/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*
The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit f42dbd67d1b960906fd2b98560e7e3724452bce9)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 248e96030637585408831d9ff39f562b9f26278d
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Mon Jan 30 17:02:52 2017 +0100
Increment version for 16.11.03 security release
commit b1165761d8536263cefaa85b1c001a1b76992321
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Jan 19 11:46:21 2017 +0100
Bug 9569: Security patch for AutoLocation
If a patron is not allowed to access the staff interface because its IP
address in the authorised range of IPs, the cookie should not contain
the CGISESSID.
If it is, the patron is logged in and will be able to access the staff
interface if he reload the page (or hit another one).
Test plan:
Confirm the that AutoLocation feature is now working as expected.
Note: It seems that this feature has never really worked as intended.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 93cc0956a923e94663ae74d1f435604844536571)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 35a090a5d58244947edd1ea40e9188c0b54e4ac0
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Jan 19 10:00:40 2017 +0100
Bug 9569: Update warning message
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 7afddcb157a8d8e27cfdee3cdbeb0eae483aa24c)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 617dfc685e13fb59b48e1e11d795318c1c8a19b7
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 16 14:01:40 2016 +0100
Bug 9569: Do not check the IP for login at the OPAC
At the OPAC, the AutoLocation feature should not be taken into account:
login to the OPAC from outside the IP range should work
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit af0af36bb9a520c31c31067b9b68fd565eef0e63)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 37c2e5496f5b444258cb2e462b61ce3960a3720e
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 16 13:56:25 2016 +0100
Bug 9569: Remove unused occurrence of AutoLocation
`git grep ManualLocation` does not return any results
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 936b23e17a4b7d76d94be276ed1ceb9be8872299)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 0b70b7a243ce6943c10953ec2e5debfbedcef31d
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 16 13:56:19 2016 +0100
Bug 9569: AutoLocation should not depend on IndependentBranches
Those 2 prefs can be independent and it does not make sense to consider
AutoLocation only if IndependentBranches is set.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit acabdc87c9a883e36def78dcff6fccb4980d35ab)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit c2e5a1d538445d0c8cd190bb90bf8cadb02b4dc6
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 16 14:02:58 2016 +0100
Bug 9569: Fix AutoLocation - handle .* for subnets
The example in branches.tt is:
Can be entered as a single IP, or a subnet such as 192.168.1.*
But actually the regex in C4::Auth does not handle subnets.
Test plan:
0/ Apply all the patches
1/ Switch AutoLocation on
2/ Define a subnet (192.168.0.* if your ip is like 192.168.0.X) in the IP
range of your library
3/ Log in on the staff interface
=> Should work
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit a8fdac38d8a1cf9e996195c5b04702d1d2eaa106)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 4a5bf7244f11502deca27b61150fdafebc57a534
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 16:19:45 2017 +0100
Bug 17905: FIX CSRF in member-flags
If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible
The exploit can be simulated triggering
/cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian
Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 0c3c162f767f5587f5fad7375151f8efca3689b3)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit ddf456271c6fcffb87f12dc8e3353474a9d10b74
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 16:46:51 2017 +0100
Bug 17904: Fix possible SQL injection in late orders
To recreate:
/cgi-bin/koha/acqui/lateorders.plop=send_alert&ordernumber=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0
Notice the delay.
The SQL query is not constructed correctly, placeholders must be used.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit b0bb1b0aa60071950a39b1c1b9e9ec145b304086)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 18cd96ece1e9b00e02b6851eca06053d10a57217
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 16:40:59 2017 +0100
Bug 17903: Fix possible SQL injection in serial claims
To recreate:
/cgi-bin/koha/serials/claims.pl?serialid=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0
Notice the delay.
The SQL query is not constructed correctly, placeholders must be used.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 179ff58b0980f348821c727c2fa79a5eca310901)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit b91903ba3f34f5cf760cc3c256f231c5de5389f3
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 17:07:34 2017 +0100
Bug 17901: Force context to scalar
See bug 15809 for more references.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit cb4fa17a2712d04590d218635913bfe794510615)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit b98f3daaa6c69ca22715313b316b77d8fb390006
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 17:03:41 2017 +0100
Bug 17901: Fix possible SQL injection in shelf editing
It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1
Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.
However it would be good to limit the possible values for sortfield.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 45cffd874c62c7b090390c5fb3c955c31f524608)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 5060e0a230173048596be5b4ea9b5890d7bb5585
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 27 10:01:42 2017 +0100
Bug 17900: Update the tests to the new API
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 42460b871472d2a408bc38a747fd375062af4d7e)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 539758ba2a7b4f5005e5a659d9d6ba30c201f5ed
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 17:43:25 2017 +0100
Bug 17900: Fix possible SQL injection in patron cards template editing
To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20
Look at the Profile dropdown list.
To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.
Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.
This vulnerability has been reported by MDSec.
Signed-off-by: Chris Cormack <chris at bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit a70980d8255a66c33539926796c06b29b26fbb40)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit f03a1bfe0ef671e59fc6cef8cd325a40ad0e91bb
Author: David Cook <dcook at prosentient.com.au>
Date: Wed Jan 25 09:58:40 2017 +1100
Bug 17986: Perl dependency evaluation incorrect
It looks like I made a copy/paste error in a previous patch.
While the fix was working when you pass the param "module" to
version_info, it wasn't populating the version correctly
for the "all" param, which causes koha_perl_deps.pl to
think all OK modules actually need an upgrade.
TEST PLAN
0) Be on a system where you know your Koha Perl dependencies are
mostly up-to-date
1) Run ./koha_perl_deps.pl -a -c
2) Note that most modules say they need an upgrade even when
the installed version is the same as the minimum version
3) Apply patch
4) Run ./koha_perl_deps.pl -a -c
5) Note that most moduls say they're OK, especially when the
installed version is the same or greater than the minimum version
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Running koha_perl_deps.pl -u convinced me.
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 4ff78a9a0da486d7f267d1e252f3628ec1a5f149)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
-----------------------------------------------------------------------
Summary of changes:
C4/Auth.pm | 8 +-
C4/Creators/Lib.pm | 56 +++--
C4/Installer/PerlModules.pm | 2 +-
C4/Letters.pm | 8 +-
C4/Serials.pm | 13 +-
Koha.pm | 2 +-
circ/circulation.pl | 5 -
installer/data/mysql/updatedatabase.pl | 6 +
koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt | 24 +-
.../prog/en/modules/circ/circulation-home.tt | 2 +-
.../prog/en/modules/members/member-flags.tt | 1 +
labels/label-edit-profile.pl | 2 +-
labels/label-edit-template.pl | 4 +-
labels/label-manage.pl | 8 +-
labels/label-print.pl | 4 +-
members/member-flags.pl | 17 ++
misc/release_notes/release_notes_16_11_03.html | 241 ++++++++++++++++++++
misc/release_notes/release_notes_16_11_03.md | 196 ++++++++++++++++
opac/opac-shelves.pl | 16 +-
patroncards/edit-profile.pl | 2 +-
patroncards/edit-template.pl | 2 +-
patroncards/manage.pl | 8 +-
patroncards/print.pl | 4 +-
t/db_dependent/Creators/Lib.t | 28 +--
virtualshelves/shelves.pl | 5 +-
25 files changed, 573 insertions(+), 91 deletions(-)
create mode 100644 misc/release_notes/release_notes_16_11_03.html
create mode 100644 misc/release_notes/release_notes_16_11_03.md
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list