The Evergreen Project announces security releases for Evergreen and OpenSRF.
The Evergreen releases are:
- 3.10.5
- 3.11.6
- 3.12.4
- 3.13.1
The Evergreen releases include fixes for the following issues:
- Two reflected XSS (cross-site scripting) vulnerabilities that would permit allowing executing arbitrary JavaScript by the user’s web browser
- An insecure direct object reference (IDOR) vulnerability that allows for constructing URLs that can access arbitrary Action Trigger event output, including data related to patron circulation notices
The IDOR vulnerability is considered critical; all Evergreen sites are recommended to upgrade or apply the fixes as soon as possible.
The OpenSRF releases are:
- 3.2.5
- 3.3.1
The OpenSRF releases fix a buffer overflow and a race condition that can crash Perl services. There are no known exploits for either issue, but Evergreen sites are nonetheless recommended to upgrade OpenSRF.
Additional information, including the new releases and release notes with instructions for applying the fixes, can be found on the downloads pages for Evergreen and OpenSRF.