Evergreen 2.2.0, 2.1.2 rc2, and 2.0.12 released – with SECURITY fixes

This entry was posted in Development Update Evergreen Community Releases on by

I would like to announce the long awaited Evergreen 2.2.0, the first official, stable release with the new Template Toolkit OPAC, and a whole passel of other new features.

You can download it now!

The release notes for 2.2.0 are here.

2.1.2 rc2 and 2.0.12 are also announced (thanks to Dan Scott and Jason Stephenson, respectively)!

2.0.12 is a security update only, and contains no new features.

The technical changelog for 2.2.0 is here.

THESE RELEASES CONTAINS SECURITY UPDATES, so you will want to upgrade as soon as possible.

Upgrading to the latest release in your series (2.2, 2.1, or 2.0) is sufficient to protect your site with these security updates:

  • Give away less information with the LOGIN_FAILURE event
  • Prevent deleted and barred users from logging in at all
  • Require the UPDATE_MARC permission rather than only the CREATE_MARC permission for users to update biblio graphic records

More information about the security updates can be found in the ChangeLog.

If you don’t wish to upgrade outright to the latest version, sites running any 2.0, 2.1, or 2.2 code today can get the benefit of the security updates by following these steps:

  1. Download the Evergreen 2.2.0, 2.1.2-rc2, or 2.0.12 release tarball; whichever belongs to the release series you’re currently running.
  2. Untar the tarball
  3. In the source directory, run ./configure --prefix=/openils --sysconf=/openils/conf && make to build the libraries
  4. Install the chrpath tool (aptitude install chrpath on Debian / Ubuntu systems)
  5. Run chrpath -d Open-ILS/src/c-apps/.libs/oils_auth.so to enable the library to link to the appropriate location
  6. Copy your existing oils_auth.so library to a safe location; for example, cp /openils/lib/oils_auth.so /openils/oils_auth.so.20120613
  7. Copy your new oils_auth.so library into place: cp Open-ILS/src/c-apps/.libs/oils_auth.so /openils/lib/
  8. As the root user, run ldconfig to refresh your dynamic linking cache.
  9. As the root user:
    1. Find the location of Cat.pm running on your system. For systems running Evergreen 2.1 and up, this looks something like /usr/local/share/perl/5.10.1/OpenILS/Application/Cat.pm, but the Perl version number could vary by system. For systems running 2.0.x, this is likely /openils/lib/perl5/OpenILS/Application/Cat.pm .
    2. Open the file in a text editor and find a line exactly like this: return $e->die_event unless $e->allowed('CREATE_MARC', $e->requestor->ws_ou);
    3. Replace ‘CREATE_MARC’ with ‘UPDATE_MARC’.
    4. Save your changes.
  10. Restart your OpenSRF services: osrf_ctl.sh -a restart_all (NOTE: you may require the -l flag on that command, depending on your system).

* To slightly paraphrase Galen Charlton who once referred to similar instructions for a previous security update:

Note that /openils/lib/oils_auth.so is normally a symbolic link to oils_auth.so.2.0.0. When applying Dan’s fix procedure, make sure that the final result has all versions of the file name oils_auth.so[.*] pointing to the same shared object.