The Evergreen development team has put together another 2.0 alpha release in the relentless march towards stability. The release, cleverly named alpha 4, incorporates a much smaller number of bug fixes and performance improvements than alpha 3, suggesting that we are indeed getting close to the level of stability needed for a good beta release. Please download the beta (source tarball or virtual image), join the testing effort, and report your findings to the Evergreen development mailing list; the earlier we find bugs, the better the 2.0 release will be!
Evergreen 2.0, alpha 3 release ready and waiting
Yesterday we (the Evergreen development team) finished wrapping up the Evergreen 2.0 alpha 3 release and made it available for your consumption, inspection, testing, development – what have you.
The released ??files, including the source tarball, staff clients for Windows and Linux, and a virtual image built on Debian Squeeze, are available from the Evergreen downloads page, along with installation instructions.
This alpha release reflects a ton of bug fixes, usability enhancements, and performance imporovements since the alpha 2 release, undoubtedly aided by the concentration of a significant portion of the development teams’ focus on a migration of a large production environment to this code base.
Thanks for contributions to this release are owed to many in the community, but let’s call out special praise for Thomas Berezansky from MVLC for providing us with the Linux staff client packaging target, and to Chris Sharp of Georgia PINES, Anoop Atre of Minnesota PALS, and Benjamin Shum of Bibliomation Inc. for going through the install process in prior alpha releases and providing us with the feedback we needed to correct problems in install process and accompanying documentation.
Security vulnerability in Evergreen 1.6: patch or upgrade advised
On Thursday, June 17th, we realized that the open-ils.pcrud service, which provides permission-protected access to Evergreen data in the 1.6 release series, was subject to a security vulnerability. The vulnerability allows a user to access objects outside of the permissions they have been granted by supplying fleshing arguments to the open-ils.pcrud search service.
By Thursday evening, a patch for the vulnerability had been committed to Evergreen trunk, and by Friday evening that patch had been backported to the 1.6.0 branch. The Evergreen 1.6.0.6 security release was uploaded on Tuesday June 22, and it took until late Friday June 26 to write up the upgrade instructions, release notes, and update the downloads page for the http://evergreen-ils.org Web site.
Today, we worked out how to apply just the security fix to a running system, so that Evergreen libraries can close the vulnerability without having to apply the full release upgrade. The procedure is as follows:
- Download the fixed file: http://svn.open-ils.org/trac/ILS/export/16749/branches/rel_1_6_0/Open-ILS/src/c-apps/oils_cstore.c
- Copy oils_cstore.c over Open-ILS/src/c-apps/oils_cstore.c in the source directory you used to install your Evergreen system
- Run ‘make’ to compile the updated libraries
- Install the chrpath tool (“aptitude install chrpath”)
- Run “chrpath -d Open-ILS/src/c-apps/.libs/oils_pcrud.so” to enable the library to link to the appropriate location
- Copy Open-ILS/src/c-apps/.libs/oils_pcrud.so.* to /openils/lib/.
- Restart the Evergreen C services by running ‘osrf_ctl.sh -a restart_c’
If you are running Evergreen 1.6, we recommend that you apply this security fix as soon as possible, then upgrade to the latest release (1.6.0.6) when you have an opportunity. Evergreen sites running releases prior to 1.6 are not affected by this vulnerability.