SECURITY RELEASES – Evergreen 2.3.6, 2.2.8, and 2.1.6 6


On behalf of the Evergreen contributors, the 2.3.x release maintainer (Bill Erickson), the 2.2.x release maintainer (Lebbeous Fogle-Weekley), and the 2.1.x release maintainer, (Dan Scott), we are pleased to announce the release of Evergreen 2.3.6, 2.2.8, and 2.1.6.

Links to downloads and documentation can be found at

http://evergreen-ils.org/downloads.php.

The 2.3.6 and 2.2.8 releases also contains bugfixes not related to security.

THESE RELEASES CONTAIN SECURITY UPDATES. We strongly recommend that you upgrade as soon as possible.

  • The pcrud, cstore, and rstore services are susceptible to an SQL injection attack.  Any user can potentially make arbitrary SQL run on the Evergreen database.

More information about the security updates and other bugfixes can be found in the ChangeLogs:

If you don’t wish to upgrade Evergreen outright to the latest version, sites running 2.1, 2.2, or 2.3 releases today can get the benefit of the security updates by following these steps:

  • Download the 2.1.6, 2.2.8, or 2.3.6 release tarball; whichever belongs to the release series you’re currently running.
  • Extract the tarball.

Updating the C libs 

  1. In the source directory, run ./configure --prefix=/openils --sysconf=/openils/conf && make to build the libraries
  2. Install the chrpath tool (aptitude install chrpath on Debian / Ubuntu systems)
  3. Run chrpath -d Open-ILS/src/c-apps/.libs/oils_cstore.so to enable the library to link to the appropriate location.
  4. Copy your existing oils_cstore.so library to a safe location; for example, cp /openils/lib/oils_cstore.so /openils/oils_cstore.so.20121026
  5. Copy your new oils_cstore.so library into place: cp Open-ILS/src/c-apps/.libs/oils_cstore.so /openils/lib/
  6. VERY IMPORTANT: Repeat the preceding three steps substituting “pcrud” everywhere “cstore” was mentioned. Repeat them again substituting “rstore” everywhere “cstore” wass mentioned.
  7. As the root user, run ldconfig to refresh your dynamic linking cache.

To perform the chrpath and copy actions, you can run the following commands as the root user:

for i in cstore pcrud rstore
  do chrpath -d Open-ILS/src/c-apps/.libs/oils_$i.so
  cp /openils/lib/oils_$i.so /openils/lib/oils_$i.so.20130417
  cp Open-ILS/src/c-apps/.libs/oils_$i.so /openils/lib/
done
ldconfig

Note that /openils/lib/oils_cstore.so is normally a symbolic link to oils_cstore.so.2.0.0. When applying this procedure, make sure that the final result has all versions of the file name oils_cstore.so[.*] pointing to the same shared object. The same layout is true for pcrud and rstore.

Finally, restart all Evergreen services and Apache.

Please also note that these hot-fix instructions assume that you have installed the previous security releases.  If you have not, you should instead follow the instructions in the previous security release announcement using the tarballs being released today, including installing the latest stable version of OpenSRF (2.1.2).


6 thoughts on “SECURITY RELEASES – Evergreen 2.3.6, 2.2.8, and 2.1.6

  • Dan Wells

    Thanks a lot for posting this, and especially for the quick upgrade bits. They are a huge help.

    However, the upgrade instructions have never quite worked for me (I am on Ubuntu 12.04). If I follow them exactly, I end up with something like:


    -rwxr-xr-x 1 root root 280330 2013-04-17 15:52 oils_cstore.so
    lrwxrwxrwx 1 opensrf opensrf 20 2012-12-19 10:44 oils_cstore.so~ -> oils_cstore.so.2.0.0
    lrwxrwxrwx 1 opensrf opensrf 20 2012-12-19 10:44 oils_cstore.so.2 -> oils_cstore.so.2.0.0
    -rwxr-xr-x 1 opensrf opensrf 280442 2013-01-16 18:19 oils_cstore.so.2.0.0
    -rwxr-xr-x 1 root root 280442 2013-04-17 15:52 oils_cstore.so.20130417

    which isn’t what we want. Why aren’t we copying the new library to (for example) oils_cstore.so.2.0.0? Or is something else supposed to take care of this? I always end up just shuffling things back where they go (as mentioned in the instructions), and assuming my system is the weird one, but maybe the instructions need adjusting instead?

    Thanks for helping me understand.

    Dan

  • Galen Charlton Post author

    On Debian, at least, the Evergreen *.so files are symlinks to *.so.2.0.0, e.g., oils_cstore.so -> oils_cstore.so.2.0.0.

    I don’t have an Ubuntu system in front of me, so I can’t say whether it adopts a different convention or if you had inadvertently broken a symlink earlier.

    Ultimately, the goal is to ensure that for each shared library, all references to it either point to the same binary or link to it.

  • Dan Wells

    Thanks Galen. I do understand the goal, and I think Debian and Ubuntu are set up the same way. My working config looks like (and I verified this is how it was before running the upgrade steps):

    lrwxrwxrwx 1 opensrf opensrf 20 2012-12-19 10:44 /openils/lib/oils_cstore.so -> oils_cstore.so.2.0.0
    lrwxrwxrwx 1 opensrf opensrf 20 2012-12-19 10:44 /openils/lib/oils_cstore.so.2 -> oils_cstore.so.2.0.0
    -rwxr-xr-x 1 root root 280330 2013-04-17 15:55 /openils/lib/oils_cstore.so.2.0.0

    However, if I follow the instructions and do:

    cp Open-ILS/src/c-apps/.libs/oils_cstore.so /openils/lib/

    I end up with what I posted above (that is, it moves the .so symlink to an automatic backup (~) filename rather than replacing the linked file). This appears to be some sort of protection mechanism, and maybe it is Ubuntu specific. I don’t really have time to research it right now, so I guess this is just a heads up for Ubuntu folks.

  • Galen Charlton Post author

    It acting as if cp were aliased to cp -b. I’ve tested and verified that using cp -b would indeed result in what you’re seeing.

  • Galen Charlton Post author

    And now the caffeine has kicked in. The -b in the instructions aren’t necessary and were getting in the way, so I’ve updated the instructions accordingly.

  • Dan Wells

    Sorry, I totally missed the fact that ‘-b’ was there as well when I copied and pasted the ‘for’ loop. That explains everything!

    Thanks for fixing it.

Comments are closed.