Links to downloads and documentation can be found at

http://evergreen-ils.org/downloads.php.

The 2.3.6 and 2.2.8 releases also contains bugfixes not related to security.

THESE RELEASES CONTAIN SECURITY UPDATES. We strongly recommend that you upgrade as soon as possible.

• The pcrud, cstore, and rstore services are susceptible to an SQL injection attack.  Any user can potentially make arbitrary SQL run on the Evergreen database.

More information about the security updates and other bugfixes can be found in the ChangeLogs:

• 2.3.6
• 2.2.8
• 2.1.6

If you don’t wish to upgrade Evergreen outright to the latest version, sites running 2.1, 2.2, or 2.3 releases today can get the benefit of the security updates by following these steps:

• Download the 2.1.6, 2.2.8, or 2.3.6 release tarball; whichever belongs to the release series you’re currently running.
• Extract the tarball.

Updating the C libs 

1. In the source directory, run ./configure --prefix=/openils --sysconf=/openils/conf && make to build the libraries
2. Install the chrpath tool (aptitude install chrpath on Debian / Ubuntu systems)
3. Run chrpath -d Open-ILS/src/c-apps/.libs/oils_cstore.so to enable the library to link to the appropriate location.
4. Copy your existing oils_cstore.so library to a safe location; for example, cp /openils/lib/oils_cstore.so /openils/oils_cstore.so.20121026
5. Copy your new oils_cstore.so library into place: cp Open-ILS/src/c-apps/.libs/oils_cstore.so /openils/lib/
6. VERY IMPORTANT: Repeat the preceding three steps substituting “pcrud” everywhere “cstore” was mentioned. Repeat them again substituting “rstore” everywhere “cstore” wass mentioned.
7. As the root user, run ldconfig to refresh your dynamic linking cache.

To perform the chrpath and copy actions, you can run the following commands as the root user:

for i in cstore pcrud rstore
  do chrpath -d Open-ILS/src/c-apps/.libs/oils_$i.so
  cp /openils/lib/oils_$i.so /openils/lib/oils_$i.so.20130417
  cp Open-ILS/src/c-apps/.libs/oils_$i.so /openils/lib/
done
ldconfig

Note that /openils/lib/oils_cstore.so is normally a symbolic link to oils_cstore.so.2.0.0. When applying this procedure, make sure that the final result has all versions of the file name oils_cstore.so[.*] pointing to the same shared object. The same layout is true for pcrud and rstore.

Finally, restart all Evergreen services and Apache.

Please also note that these hot-fix instructions assume that you have installed the previous security releases.  If you have not, you should instead follow the instructions in the previous security release announcement using the tarballs being released today, including installing the latest stable version of OpenSRF (2.1.2).

Since 2.5 is due to be released in September, please add your feature to the roadmap only if you expect that it will be code-complete and publicly available for review by early August at the latest.

For now, the roadmap will live on the wiki at

http://evergreen-ils.org/dokuwiki/doku.php?id=faqs:evergreen_roadmap:2.5

Please add only features that you are committed to work on or that you are committed to funding very soon — the roadmap isn’t meant to be a wishlist or a way of seeking co-sponsorship for potential projects.

To request an account on the wiki, please email docs AT evergreen-ils.org.  Although the roadmap will be continually updated during the 2.5 release cycle, please consider May 1st as a deadline for the first cut.

I’m using the phrase “automated fashion” very broadly.  There are many ways to receive data from an Evergreen system, update data in an Evergreen database, or make transactions happen.  A few of these ways include:

• XML-RPC calls to invoke Evergreen service methods
• SIP2 to perform patron and circulation requests
• Z39.50, unAPI, and OpenSearch to retrieve catalog data
• MARC exports and imports
• Screen-scraping (although if you’re screen-scraping Evergreen, we may be able to suggest a better way to do it)
• Interacting with the Evergreen staff client
• Direct database access
• And others

Some of the things we’d like to know include:

• The name of your service or product
• What it does for an Evergreen library
• How it is accessing Evergreen
• Whether there are specific APIs or entry points that your application depends on
• If there are things that Evergreen could be doing to make your life easier

We want to hear from everybody, whether you are a consortium that has integrated Evergreen with other software, an Evergreen support group,  a vendor providing products or services to libraries, or a member of a free software project whose software talks with Evergreen.  If you work for an Evergreen library and know that Evergreen works with another service, we want to hear from you too, even if you don’t know how Evergreen is doing the talking.

Why do we want to know?  Our reasons include:

• Finding out which entry points we should be particularly careful about changing as Evergreen gets enhanced.
• See if there are things we could be doing better to encourage more people and applications to participate in the Evergreen ecosystem.
• (Maybe) putting together a list of third-party services that interact with Evergreen.

To respond, please comment on this post.

Upcoming PostgreSQL Security Release: April 4, 2013
Posted on 2013-03-28

The PostgreSQL Global Development Group will be releasing a security update for all supported versions on Thursday April 4th, 2013. This release will include a fix for a high-exposure security vulnerability. All users are strongly urged to apply the update as soon as it is available.

We are providing this advance notice so that users may schedule an update of their production systems on or shortly after April 4th.

As always, update releases only require installation of packages and a database system restart. You do not need to dump/restore or use pg_upgrade for this update release.

Please be prepared to update to the security release. While a typical Evergreen configuration does not expose PostgreSQL to public access, the nature of this announcement is unusual for PostgreSQL and suggests that the vulnerability may be particularly concerning.

Evergreen 2.2.7 has been released.  This release contains a number of bugfixes since the last release back in February.  See this page for links to the source code, staff client, release notes, changelog and more.

The bugfixes covered in this release address (in no particular order) SIP interoperability; added content from Syndetics; user interface issues in the staff client, the OPAC, and the staff translations interface; TCN maintenance; serials; patron retrieval by inactive barcode; hold shelf; authorities management; Z39.50 searches; MARC export; the XML-RPC API; and dependencies for installing Evergreen on the most recent Long-Term Support release of Ubuntu.

Thanks as always to all the contributors of the Evergreen community!

• Significant TPAC enhancements
• Streamlined and enhanced Acquisitions functionality
• Expanded options for the configuration of Holds and Circulations

The full set of upcoming features are listed in the release notes, and the complete list  of source code changes since the release of 2.3 is available in the git change log.

The OpenSRF 2.2.0 or later is recommended for use with Evergreen 2.4.  OpenSRF 2.2 is in alpha now, with release expected at approximately the same time as Evergreen 2.4.0.  All testers of the Evergreen 2.4 beta are encouraged to test with OpenSRF 2.2.0, as there are significant performance enhancements and bug fixes associated with Evergreen’s new features.

Thanks to all who helped make this release possible.

1. Support for Apache 2.4, Debian Wheezy, and Fedora 18.
2. Elimination of CPU spikes caused by use of the MultiSession module.  This is particularly relevant for Evergreen as TPac uses MultiSession when fetching bib records for display in search results.
3. Support for graceful reload of Perl services via SIGHUP, which allows the log level to be changed on the fly.  This can also be used to politely clean up after memory leaks.

For a complete list of the changes, please consult the release notes and change log.

Links to the installation tarball, release notes, and installation instructions can be found on the OpenSRF downloads page.

We are considering having 2.2.0 be the recommended OpenSRF version for Evergreen 2.4.  Consequently, testers of the Evergreen 2.4 beta are encouraged to test the OpenSRF alpha as well.  In addition, because of the changes to MultiSession, we are particularly interested in test results from a variety of platforms, particularly ones that use virtualization.

In the mean time the important files can be had from the following locations:

Thanks to everyone who has worked on this release.  There is a lot of great stuff in here.

Thanks also go specifically to Ben Shum, who put together an alpha version of the 2.4 release notes.  I’m not incorporating it into the alpha branch, since features are still being added until beta, but if you want to see what is in the alpha1 cut (and has had at least some simple release notes treatment) you can find that at: http://git.evergreen-ils.org/?p=working/Evergreen.git;a=blob_plain;f=docs/RELEASE_NOTES_2_4.txt;hb=9abccb6caaff8d7f93b1f55b7732669bb6aaefd2

Evergreen 2.2.6 has been released. This release contains
a number of bugfixes since the last release back in January. See
this page for links to the source code, staff client, release notes,
changelog and more: http://evergreen-ils.org/downloads.php

The bugfixes covered in this release address (in no particular order)
serials, the TPAC, vandelay (MARC record import/export), hold rules,
documentation, the staff client, and more.

Thanks as always to all the contributors of the Evergreen community!

The terms will begin after the 2013 Evergreen International Conference.

If you are interested in serving or would like to nominate someone to serve, please send an email to Kathy Lussier at klussier@masslnc.org or to Steve Wills at swills@beyond-print.com.