Security Releases: Evergreen 3.1.15, 3.2.9, 3.3.4, and 3.4-beta2


On behalf of the Evergreen contributors, we are pleased to announce the release of Evergreen 3.1.15, 3.2.9, 3.3.4, and 3.4-beta2.

The new releases can be downloaded from:

http://evergreen-ils.org/egdownloads/

THESE RELEASES CONTAIN SECURITY UPDATES.

It is recommended that all Evergreen sites upgrade to one of the new releases as soon as possible.

These releases fix two bugs related to cross-site scripting (XSS) vulnerabilities in the public catalog.

Bug 1559239: Mitigates a potential risk of having a web page location changed when opening a link in a new tab. Evergreen administrators should review whether the following templates have been customized or overridden. If so, either the template should be replaced with the stock version or the rel="noopener" attribute added to all anchor (<a/>) tags with a target="_blank" attribute.

  • Open-ILS/src/templates/opac/parts/record/summary.tt2
  • Open-ILS/src/templates/opac/parts/result/table.tt2

Bug 1822630: Resolves a problem with not properly sanitizing user input. When upgrading, Evergreen administrators should review whether any of the following templates have been customized or overridden. If so, either the template should be replaced with the stock version or the XSS fix (which entails adding the | html filter in several places) applied to the customized version.

  • Open-ILS/src/templates/opac/browse.tt2
  • Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
  • Open-ILS/src/templates/opac/parts/header.tt2
  • Open-ILS/src/templates/opac/parts/place_hold.tt2
  • Open-ILS/src/templates/opac/parts/place_hold_result.tt2
  • Open-ILS/src/templates/opac/parts/result/adv_filter.tt2

All of these new releases also contain bugfixes that not related to the security issues. For more information on the changes in these releases, please consult their release notes:

 

Leave a comment

Your email address will not be published. Required fields are marked *