SECURITY RELEASES – Evergreen 2.2.2 and 2.1.3

This entry was posted in Development Update Releases on by

Hi everyone. As the 2.2 series release maintainer, and on behalf of Dan Scott in charge of the 2.1 series, I hereby announce Evergreen 2.2.2 and 2.1.3, which contain security fixes.

You can download these now!

Both of these releases also contain bugfixes not related to security. 2.2.2 has brief release notes here.

The technical changelogs are here for 2.2.2 and 2.1.3.

If you follow the 2.3 series, expect Evergreen 2.3.0 beta2 soon.

THESE RELEASES CONTAINS SECURITY UPDATES, so you will want to upgrade as soon as possible.

The cstore service is vulnerable to remotely triggered segmentation faults. More information about the security updates can be found in the ChangeLog.

If you don’t wish to upgrade outright to the latest version, sites running any 2.1 or 2.2 release today can get the benefit of the security updates by following these steps:

  1. Download the 2.1.3, or 2.2.2 release tarball; whichever belongs to the release series you’re currently running.
  2. Untar the tarball
  3. In the source directory, run ./configure --prefix=/openils --sysconf=/openils/conf && make to build the libraries
  4. Install the chrpath tool (aptitude install chrpath on Debian / Ubuntu systems)
  5. Run chrpath -d Open-ILS/src/c-apps/.libs/oils_cstore.so to enable the library to link to the appropriate location.
  6. Copy your existing oils_cstore.so library to a safe location; for example, cp /openils/lib/oils_cstore.so /openils/oils_cstore.so.20120822
  7. Copy your new oils_cstore.so library into place: cp Open-ILS/src/c-apps/.libs/oils_cstore.so /openils/lib/
  8. VERY IMPORTANT: Repeat the preceding three steps substituting “pcrud” everywhere I said “cstore.” Repeat them again substituting “rstore” everywhere I said “cstore.”
  9. As the root user, run ldconfig to refresh your dynamic linking cache.
  10. Restart your OpenSRF C services: osrf_ctl.sh -a restart_c (NOTE: you may require the -l flag on that command, depending on your system).

* To slightly paraphrase Galen Charlton who once referred to similar instructions for a previous security update:

Note that /openils/lib/oils_cstore.so is normally a symbolic link to oils_cstore.so.2.0.0. When applying Dan’s fix procedure, make sure that the final result has all versions of the file name oils_cstore.so[.*] pointing to the same shared object.