Security releases: Evergreen 2.10.12, Evergreen 2.11.5, and Evergreen 2.12.2

This entry was posted in Announcements Releases on by

Evergreen 2.10.12, Evergreen 2.11.5, and Evergreen 2.12.2 are now available. These are security releases; the Evergreen developers strongly urge users to upgrade as soon as possible.

These releases fixes several cross-site scripting (XSS) vulnerabilities in the public catalog. When upgrading, Evergreen administrators should review whether any of the following templates have been customized or overridden. If so, either the template should be replaced with the stock version or the XSS fix (which entails adding the | html filter in several places) applied to the customized version.

  • Open-ILS/src/templates/opac/parts/locale_picker.tt2
  • Open-ILS/src/templates/opac/parts/login/form.tt2
  • Open-ILS/src/templates/opac/parts/searchbar.tt2

Evergreen 2.12.2 also contains a number of bug fixes and functional improvements over 2.12.1:

  • Various improvements to the new hold targeter.
  • A fix to remove the Chilifresh patron reviews header for Evergreen sites that do not use Chilifresh.
  • A fix that marks acquisitions POs as received when all line items on the PO are received or canceled.
  • A typo fix to the long overdue override permission that prevented staff from being able to override long overdue check ins.
  • A fix to use a library’s configured currency in SIP patron responses instead of always using US dollars.
  • A fix to SIP timeouts caused by invalid sessions
  • A fix that allows boolean fields to be recognized in queries to the Z39.50 server.
  • A fix to use the correct method during adjust to zero on negative balances.
  • A correction to the datatype for the Vandelay Default Record Match Set setting.
  • The removal of the Keep field from MARC Batch Import Item Attributes. The field was not previously implemented.
  • A fix to set the complete time value for grouped Action/Trigger events when an event’s state reach complete, consistent with non-grouped events.
  • A fix to a bug in the rollover_phone_to_print.pl script that kept failed call files from being moved.
  • A new index for acq.edi_message that speeds up the check for duplicate EDI messages.
  • A fix that ensures JSON strings are converted to UTF8, ensuring that non-ASCII data display correctly.
  • A fix to avoid an erroneous unsaved data popup to appear during MARC record creation.
  • A typo fix in the web client’s bill payment receipt template.
  • A correction to ebook account links on the My Account Summary page.
  • Improved responsive design for the ebook My Account screens so that they display better on mobile devices.
  • A fix to a bug that prevented a patron opt-in dialog from loading.
  • The RTL stylesheet for the public catalog, templates/opac/css/style-rtl.css.tt2, has been merged into the LTR one (templates/opac/css/style.css.tt2). The combined stylesheet template will emit RTL or LTR styles based on the value of the rtl flag of the active locale. An rtl variable is also available in the template to allow the correct style to be chosen.
  • A fix to leaking of the internal port number to the client when Apache is configured to use nonstandard ports in combination with a proxy server.
  • The addition of the vandelay.auto_overlay_bib_record upgrade script, which was missed in a 2.1-2.2 era upgrade script. It isn’t necessary for sites that began using Evergreen since then to run the script, but it is harmless to run.
  • A web staff client fix that will hid the behind-desk option for for libraries that do not support “Behind Desk Pickup”.
  • A web staff client fix that caused hold transit check ins to fail silently when the transit destination does not have a holds address.
  • A web staff client fix that now requires the entry of user statistical categories in the patron editor if those stat cats are configured to be required.
  • A fix to a problem with the “Exclude Electronic Resources” checkbox that prevented users from removing a selection from the box.
  • The removal of the search format limiters from the new advanced search limiter block on the search results page. The search format limiters should not display there because they can be selected from the search bar.

Evergreen 2.11.5 also includes the following bug fixes:

  • A fix to remove the Chilifresh patron reviews header for Evergreen sites that do not use Chilifresh.
  • A fix that marks acquisitions POs as received when all line items on the PO are received or canceled.
  • A typo fix to the long overdue override permission that prevented staff from being able to override long overdue check ins.
  • A fix to use a library’s configured currency in SIP patron responses instead of always using US dollars.
  • A fix to SIP timeouts caused by invalid sessions
  • A fix that allows boolean fields to be recognized in queries to the Z39.50 server.
  • A fix to use the correct method during adjust to zero on negative
    balances.
  • A correction to the datatype for the Vandelay Default Record Match Set setting.
  • The removal of the Keep field from MARC Batch Import Item Attributes. The field was not previously implemented.
  • A fix to set the complete time value for grouped Action/Trigger events when an event’s state reach complete, consistent with non-grouped events.
  • A fix to a bug in the rollover_phone_to_print.pl script that kept failed call files from being moved.
  • A new index for acq.edi_message that speeds up the check for duplicate EDI messages.
  • A fix that ensures JSON strings are converted to UTF8, ensuring that non-ASCII data display correctly.
  • A fix to avoid an erroneous unsaved data popup to appear during MARC record creation.

Please visit the Evergreen download page to retrieve the latest releases and consult the release notes.