SECURITY RELEASES – Evergreen 2.3.3, 2.2.5, and 2.1.5


On behalf of the Evergreen contributors, the 2.3.x release maintainer (Bill Erickson), the 2.2.x release maintainer (Lebbeous Fogle-Weekley), and the 2.1.x release maintainer, (Dan Scott), we are pleased to announce the release of Evergreen 2.3.3, 2.2.5, and 2.1.5.

Links to downloads and documentation can be found at

http://evergreen-ils.org/downloads.php and http://evergreen-ils.org/opensrf.php.

The 2.3.3 and 2.2.5 releases also contains bugfixes not related to security.

THESE RELEASES CONTAIN SECURITY UPDATES, so you will want to upgrade as soon as possible.

  • The pcrud, cstore, and rstore services are susceptible to an SQL injection attack.  Any user, including library staff and patrons, who can authenticate to Evergreen can potentially make arbitrary SQL run on the Evergreen database.

More information about the security updates and other bugfixes can be found in the ChangeLogs:

If you don’t wish to upgrade Evergreen outright to the latest version, sites running 2.1, 2.2, or 2.3 releases today can get the benefit of the security updates by following these steps:

  • Download the 2.1.5, 2.2.5, or 2.3.3 release tarball; whichever belongs to the release series you’re currently running.
  • Extract the tarball.

Updating the C libs 

  1. In the source directory, run ./configure --prefix=/openils --sysconf=/openils/conf && make to build the libraries
  2. Install the chrpath tool (aptitude install chrpath on Debian / Ubuntu systems)
  3. Run chrpath -d Open-ILS/src/c-apps/.libs/oils_cstore.so to enable the library to link to the appropriate location.
  4. Copy your existing oils_cstore.so library to a safe location; for example, cp /openils/lib/oils_cstore.so /openils/oils_cstore.so.20121026
  5. Copy your new oils_cstore.so library into place: cp Open-ILS/src/c-apps/.libs/oils_cstore.so /openils/lib/
  6. VERY IMPORTANT: Repeat the preceding three steps substituting “pcrud” everywhere “cstore” was mentioned. Repeat them again substituting “rstore” everywhere “cstore” wass mentioned.
  7. As the root user, run ldconfig to refresh your dynamic linking cache.

To perform the chrpath and copy actions, you can run the following commands as the root user:

for i in cstore pcrud rstore
  do chrpath -d Open-ILS/src/c-apps/.libs/oils_$i.so
  cp -b /openils/lib/oils_$i.so /openils/lib/oils_$i.so.20121026
  cp -b Open-ILS/src/c-apps/.libs/oils_$i.so /openils/lib/
done
ldconfig

Note that /openils/lib/oils_cstore.so is normally a symbolic link to oils_cstore.so.2.0.0. When applying this procedure, make sure that the final result has all versions of the file name oils_cstore.so[.*] pointing to the same shared object. The same layout is true for pcrud and rstore.

  • Restart all Evergreen services and Apache.

Please also note that these hot-fix instructions assume that you have installed the previous security releases (to wit, Evergreen 2.3.1, 2.2.3, or 2.1.4).  If you have not, you should instead follow the instructions in the previous security release announcement using the tarballs being released today, including installing the lastest stable version of OpenSRF (2.1.2).