Security releases: Evergreen 2.12.12 and Evergreen 3.0.6

Evergreen 2.12.12 Evergreen 3.0.6 are now available. These are security releases; the Evergreen developers strongly urge users to upgrade as soon as possible.

These releases fixes several cross-site scripting (XSS) vulnerabilities in the public catalog. When upgrading, Evergreen administrators should review whether any of the following templates have been customized or overridden. If so, either the template should be replaced with the stock version or the XSS fix (which entails adding the | html filter in several places) applied to the customized version.

  • Open-ILS/src/templates/opac/parts/record/contents.tt2
  • Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
  • Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2

Evergreen 3.0.6 also includes several changes improving on Evergreen 3.0.5:

  • When using ‘Selection Lists -> Edit MARC Order Record’ in the web staff client, now only one click is required to save the MARC record rather than two.
  • The volume/copy editor in the web staff client now better handles editing multiple items that have different sets of statistical category values assigned to them.
  • The act of merging bibliographic records now updates bookbags that referred to the source bibliographic record rather than effectively deleting entries for that record.
  • Additional columns were added to the Holds Pull List in the web staff client.
  • The patron registration form in the web staff client now correctly manages setting user preferences.
  • An error in a pgTAP unit test was corrected.

Please visit the Evergreen download page to retrieve the latest releases and consult the release notes.