[Koha-devel] Security releases for all stable branches - UPGRADE!
Jonathan Druart
jonathan.druart at bugs.koha-community.org
Mon Sep 6 14:00:00 CEST 2021
Hello everybody,
Don't ignore this email!
Last week a critical security bug was reported on our bug tracker. We
fixed it and built debian packages for the four stable releases we
currently support.
The security flaw can cause a privilege escalation from OPAC users. It
can be highly damaging, especially if your staff interface is
accessible via login from everywhere without further security measures
like IP restrictions in place.
How to fix the problem?
If you are using a debian-based system you should upgrade using the
debian packages:
% apt update
% apt install koha-common
If you are using an older version of Koha (<19.11) you should either
upgrade to a newer version, or apply those two patches (they should
apply on older versions as well):
https://paste.debian.net/hidden/885fb5ec/
https://paste.debian.net/hidden/1184f523/
https://paste.debian.net/plainh/ae9f9f25
You can apply them using the following command:
% wget "https://paste.debian.net/plainh/885fb5ec" -O 28929_1.patch
% wget "https://paste.debian.net/plainh/1184f523" -O 28929_2.patch
% wget "https://paste.debian.net/plainh/ae9f9f25" -O 28947.patch
% patch -p1 -d /usr/share/koha/intranet/cgi-bin/ <
/kohadevbox/koha/28929_1.patch
% patch -p1 -d /usr/share/koha/opac/cgi-bin/ < /kohadevbox/koha/28929_2.patch
% patch -d /usr/share/koha/opac/cgi-bin/opac/ < /kohadevbox/koha/28947.patch
The two bugs are 28929 and 28947. As they contain information about
how to recreate the vulnerability they will stay hidden two more days to let
you upgrade your systems.
Let us know if you have any questions!
Regards,
Jonathan
More information about the Koha-devel
mailing list