We are pleased to announce July maintenance releases for Evergreen ILS. Evergreen 3.11.7, 3.12.5, and 3.13.2 are now available. More information including links to downloads and full release notes is available on the Downloads page.
2024 Conference Videos
The Outreach Committee is glad to share that all of the 2024 Evergreen ILS online conference videos are now up on Youtube.
Evergreen and OpenSRF Security Releases: Evergreen 3.10.5, 3.11.6, 3.12.4, 3.13.1; OpenSRF 3.2.5 and 3.3.1
The Evergreen Project announces security releases for Evergreen and OpenSRF.
The Evergreen releases are:
- 3.10.5
- 3.11.6
- 3.12.4
- 3.13.1
The Evergreen releases include fixes for the following issues:
- Two reflected XSS (cross-site scripting) vulnerabilities that would permit allowing executing arbitrary JavaScript by the user’s web browser
- An insecure direct object reference (IDOR) vulnerability that allows for constructing URLs that can access arbitrary Action Trigger event output, including data related to patron circulation notices
The IDOR vulnerability is considered critical; all Evergreen sites are recommended to upgrade or apply the fixes as soon as possible.
The OpenSRF releases are:
- 3.2.5
- 3.3.1
The OpenSRF releases fix a buffer overflow and a race condition that can crash Perl services. There are no known exploits for either issue, but Evergreen sites are nonetheless recommended to upgrade OpenSRF.
Additional information, including the new releases and release notes with instructions for applying the fixes, can be found on the downloads pages for Evergreen and OpenSRF.