SECURITY RELEASES – Evergreen 2.3.1, 2.2.3, and 2.1.4; OpenSRF 2.1.1

Hi everyone,

As the 2.3 series release maintainer, on behalf of Lebbeous Fogle-Weekley (2.2 maintainer), and Dan Scott (Evergreen 2.1, OpenSRF 2.1 maintainer), I hereby announce Evergreen 2.3.1, 2.2.3, 2.1.4, and OpenSRF 2.1.1, which contain security fixes.

Links to downloads and documentation can be found at and

Each of these releases also contains bugfixes not related to security.

THESE RELEASES CONTAIN SECURITY UPDATES, so you will want to upgrade as soon as possible.

  • The pcrud service and the Evergreen reporting interface are susceptible to leaking sensitive information.
  • OpenSRF may log sensitive information to system logs

More information about the security updates can be found in the ChangeLogs.

  • These changes require that OpenSRF 2.1.1 be installed before any patches or upgrades to Evergreen are applied!

If you don’t wish to upgrade Evergreen outright to the latest version, sites running 2.1, 2.2, or 2.3 releases today can get the benefit of the security updates by following these steps:

  • Download the 2.1.4, 2.2.3, or 2.3.1 release tarball; whichever belongs to the release series you’re currently running.
  • Extract the tarball

Updating the OpenSRF configuration

  • To add the recommended log redaction configuration to an existing system, you can apply the following patch to /openils/conf/opensrf_core.xml:

Updating the IDL

  • Copy the new IDL into place: cp Open-ILS/examples/fm_IDL.xml /openils/conf/
  • Copy the web IDL into place: cp Open-ILS/examples/fm_IDL.xml /openils/var/web/reports/ # NOTE: this will make all reports template creation labels appear in English until you perform a full upgrade
Updating the C libs
  1. In the source directory, run ./configure --prefix=/openils --sysconf=/openils/conf && make to build the libraries
  2. Install the chrpath tool (aptitude install chrpath on Debian / Ubuntu systems)
  3. Run chrpath -d Open-ILS/src/c-apps/.libs/ to enable the library to link to the appropriate location.
  4. Copy your existing library to a safe location; for example, cp /openils/lib/ /openils/
  5. Copy your new library into place: cp Open-ILS/src/c-apps/.libs/ /openils/lib/
  6. VERY IMPORTANT: Repeat the preceding three steps substituting “pcrud” everywhere I said “cstore.” Repeat them again substituting “rstore” everywhere I said “cstore.”
  7. As the root user, run ldconfig to refresh your dynamic linking cache.

To perform the chrpath and copy actions, you can run the following commands as the root user:

for i in cstore pcrud rstore
  do chrpath -d Open-ILS/src/c-apps/.libs/oils_$
  cp -b /openils/lib/oils_$ /openils/lib/oils_$
  cp -b Open-ILS/src/c-apps/.libs/oils_$ /openils/lib/

Note that /openils/lib/ is normally a symbolic link to When applying this procedure, make sure that the final result has all versions of the file name[.*] pointing to the same shared object. The same layout is true for pcrud and rstore.

Updating the Perl libraries

The CStoreEditor module was changed to eliminate a possible leak of sensitive information to the logs. As the location of Perl libraries differs between Linux distributions, the easiest way to get the fixed version of the CStoreEditor module into place is to install the newest copy of all of the Evergreen Perl libraries. Perform the following action as the root user:

cd Open-ILS/src/perlmods
make install
  • Restart all Evergreen services and Apache.
  • Run autogen to publish the IDL changes: /openils/bin/