[Koha-devel] IMPORTANT: Koha security release

Fri Feb 7 08:55:00 CET 2014

Hie,

Here is the release announcement for 3.14.03 :
http://koha-community.org/koha-3-14-3-released/

Regards,

Le 07/02/2014 02:51, Galen Charlton a écrit :
> [apologies for the multi-post, but if there are any folks who are
> subscribed to koha-devel but not the general list, they need to see
> this too]
>
> The Koha community is releasing a security update for all supported
> and recent unsupported versions of Koha. The security update is
> available in the following new releases being made today:
>
> * 3.14.3
> * 3.12.10
> * 3.10.13
> * 3.8.23
>
> The following security bugs are fixed by this update:
>
> * Bug 11660: tools/pdfViewer.pl could be used to read arbitrary files
> on the server
> * Bug 11661: the staff interface help editor could be used to modify
> or create arbitrary files on the server with the privileges of the
> Apache user
> * Bug 11662: member-picupload.pl could be used to write to arbitrary
> files on the server with the privileges of the Apache user
> * Bug 11666: the MARC framework import/export function did not require
> authentication, and could be used to perform unexpected SQL commands
>
> The fix for bug 11666 removes SQL as a supported format for importing
> or exporting MARC frameworks.
>
> We recommend that you upgrade immediately to get the fixes for these
> security issues. However, if you are not able to perform the upgrade
> right away, you can mitigate against the issues by performing the
> following actions:
>
> * deleting the pdfViewer.pl script
> * deleting the member-picupload.pl script
> * making edithelp.pl not be executable, e.g., by doing
>
>    chmod a-x edithelp.pl
>
> * making import_export_framework.pl not be executable, which will
> disable the MARC framework import and export functionality
>
> Our thanks to John Lightsey for finding and reporting the issues.
>
> The 3.14.3 and 3.10.13 releases also contain unrelated bugfixes which
> are described in their release notes.
>
> Please note that if you installed from a tarball, you may need to
> manually delete pdfViewer.pl and member-picupload.pl, even after you
> upgrade.
>
> Users of the Debian packages for 3.12.x and 3.14.x (and master) can
> get the latest release by running apt-get update followed by apt-get
> upgrade.
>
> Tarballs are also available and can be downloaded from
> http://download.koha-community.org.
>
> If you are not running a version of Koha that has has a release
> maintainer (currently 3.8.x, 3.10.x, 3.12.x, and 3.14.x), we strongly
> urge you to upgrade to a supported version.
>
> Regards,
>
> Galen
>

-- 
Fridolin SOMERS
Biblibre - Pôles support et système
fridolin.somers at biblibre.com