Hi everyone,
As the 2.3 series release maintainer, on behalf of Lebbeous Fogle-Weekley (2.2 maintainer), and Dan Scott (Evergreen 2.1, OpenSRF 2.1 maintainer), I hereby announce Evergreen 2.3.1, 2.2.3, 2.1.4, and OpenSRF 2.1.1, which contain security fixes.
Links to downloads and documentation can be found at
http://evergreen-ils.org/downloads.php and http://evergreen-ils.org/opensrf.php.
Each of these releases also contains bugfixes not related to security.
THESE RELEASES CONTAIN SECURITY UPDATES, so you will want to upgrade as soon as possible.
- The pcrud service and the Evergreen reporting interface are susceptible to leaking sensitive information.
- OpenSRF may log sensitive information to system logs
More information about the security updates can be found in the ChangeLogs.
- These changes require that OpenSRF 2.1.1 be installed before any patches or upgrades to Evergreen are applied!
If you don’t wish to upgrade Evergreen outright to the latest version, sites running 2.1, 2.2, or 2.3 releases today can get the benefit of the security updates by following these steps:
- Download the 2.1.4, 2.2.3, or 2.3.1 release tarball; whichever belongs to the release series you’re currently running.
- Extract the tarball
Updating the OpenSRF configuration
- To add the recommended log redaction configuration to an existing system, you can apply the following patch to
/openils/conf/opensrf_core.xml
:
Updating the IDL
- Copy the new IDL into place:
cp Open-ILS/examples/fm_IDL.xml /openils/conf/
- Copy the web IDL into place:
cp Open-ILS/examples/fm_IDL.xml /openils/var/web/reports/
# NOTE: this will make all reports template creation labels appear in English until you perform a full upgrade
- In the source directory, run
./configure --prefix=/openils --sysconf=/openils/conf && make
to build the libraries - Install the chrpath tool (
aptitude install chrpath
on Debian / Ubuntu systems) - Run
chrpath -d Open-ILS/src/c-apps/.libs/oils_cstore.so
to enable the library to link to the appropriate location. - Copy your existing oils_cstore.so library to a safe location; for example,
cp /openils/lib/oils_cstore.so /openils/oils_cstore.so.20121026
- Copy your new oils_cstore.so library into place:
cp Open-ILS/src/c-apps/.libs/oils_cstore.so /openils/lib/
- VERY IMPORTANT: Repeat the preceding three steps substituting “pcrud” everywhere I said “cstore.” Repeat them again substituting “rstore” everywhere I said “cstore.”
- As the root user, run
ldconfig
to refresh your dynamic linking cache.
To perform the chrpath and copy actions, you can run the following commands as the root
user:
for i in cstore pcrud rstore do chrpath -d Open-ILS/src/c-apps/.libs/oils_$i.so cp -b /openils/lib/oils_$i.so /openils/lib/oils_$i.so.20121026 cp -b Open-ILS/src/c-apps/.libs/oils_$i.so /openils/lib/ done ldconfig
Note that /openils/lib/oils_cstore.so is normally a symbolic link to oils_cstore.so.2.0.0. When applying this procedure, make sure that the final result has all versions of the file name oils_cstore.so[.*] pointing to the same shared object. The same layout is true for pcrud and rstore.
The CStoreEditor module was changed to eliminate a possible leak of sensitive information to the logs. As the location of Perl libraries differs between Linux distributions, the easiest way to get the fixed version of the CStoreEditor module into place is to install the newest copy of all of the Evergreen Perl libraries. Perform the following action as the root user:
cd Open-ILS/src/perlmods make install
- Restart all Evergreen services and Apache.
- Run autogen to publish the IDL changes:
/openils/bin/autogen.sh