SECURITY RELEASES – Evergreen 2.7.1, 2.6.4, and 2.5.8

On behalf of the Evergreen contributors, the 2.7.x release maintainer (Ben Shum) and the 2.6.x and 2.5.x release maintainer (Dan Wells), we are pleased to announce the release of Evergreen 2.7.1, 2.6.4, and 2.5.8.

The new releases can be downloaded from:

THESE RELEASES CONTAIN SECURITY UPDATES, so you will want to upgrade as soon as possible.

In particular, they fix a bug where even if a user had logged out of the Evergreen public catalog, their login session was not removed. This would permit somebody who had access to the user’s session cookie to impersonate that user and gain access to their account and circulation information.

After installing the Evergreen software update, it is recommended that memcached be restarted prior to restarting Evergreen services and Apache.  This will clear out all user login sessions.

All three releases also contain bugfixes that not related to the security issue. For more information on the changes in these release, please consult the change logs: