Security releases: OpenSRF 2.4.2 and 2.5.0-alpha2, Evergreen 2.10.10, and Evergreen 2.11.3


OpenSRF 2.4.2 and 2.5.0-alpha2, Evergreen 2.10.10, and Evergreen 2.11.3 are now available. These are security releases; the Evergreen and OpenSRF developers strongly urge users to upgrade as soon as possible.

The security issue fixed in OpenSRF has to do with how OpenSRF constructs keys for use by memcached; under certain circumstances, attackers would be able to exploit the issue to perform denial of service and authentication bypass attacks against Evergreen systems. Users of OpenSRF 2.4.1 and earlier are should upgrade to OpenSRF 2.4.2 right away, while testers of OpenSRF 2.5.0-alpha should upgrade to 2.5.0-alpha2.

If you are currently using OpenSRF 2.4.0 or later, you can update an Evergreen system as follows:

  • Download OpenSRF 2.4.2 and follow its installation instructions up to and including the make install step and chown -R opensrf:opensrf /<PREFIX> steps.
  • Restart Evergreen services using osrf_control.
  • Restart Apache

If you are running a version of OpenSRF older than 2.4.0, you will also need to perform the make and make install steps in Evergreen prior to restarting services.

Please visit the OpenSRF download page to retrieve the latest releases and consult the release notes.

The security issue fixed in Evergreen 2.10.10 and 2.11.3 affects users of the Stripe credit card payment processor and entails the possibility of attackers gaining access to your strip credentials. Users of Evergreen 2.10.x and 2.11.x can simply upgrade as normal, but if you are running Evergreen 2.9.x or earlier, or if you cannot perform a full upgrade right away, you can apply the fix by running the following two SQL statements in your Evergreen database:

UPDATE config.org_unit_setting_type
    SET view_perm = (SELECT id FROM permission.perm_list
        WHERE code = 'VIEW_CREDIT_CARD_PROCESSING' LIMIT 1)
    WHERE name LIKE 'credit.processor.stripe%' AND view_perm IS NULL;

UPDATE config.org_unit_setting_type
    SET update_perm = (SELECT id FROM permission.perm_list
        WHERE code = 'ADMIN_CREDIT_CARD_PROCESSING' LIMIT 1)
    WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL;

In addition, Evergreen 2.10.10 has the following fixes since 2.10.9:

  • A fix to correctly apply floating group settings when performing no-op checkins.
  • A fix to the HTML coding of the temporary lists page.
  • A fix of a problem where certain kinds of requests of information about the organizational unit hierarchy to consume all available open-ils.cstore backends.
  • A fix to allow staff to use the place another hold link without running into a user interface loop.
  • A fix to the Edit Due Date form in the web staff client.
  • A fix to sort billing types and non-barcoded item types in alphabetical order in the web staff client.
  • A fix to the return to grouped search results link in the public catalog.
  • A fix to allow pre-cat checkouts in the web staff client without requiring a circulation modifier.
  • Other typo and documentation fixes.

Evergreen 2.11.3 has the following additional fixes since 2.11.2:

  • A fix to correctly apply floating group settings when performing no-op checkins.
  • An improvement to the speed of looking up patrons by their username; this is particularly important for large databases.
  • A fix to properly display the contents of temporary lists (My List) in the public catalog, as well as a fix of the HTML coding of that page.
  • A fix to the Spanish translation of the public catalog that could cause catalog searches to fail.
  • A fix of a problem where certain kinds of requests of information about the organizational unit hierarchy to consume all available open-ils.cstore backends.
  • A fix to allow staff to use the place another hold link without running into a user interface loop.
  • A fix to the Edit Due Date form in the web staff client.
  • A fix to the definition of the stock Full Overlay merge profile.
  • A fix to sort billing types in alphabetical order in the web staff client.
  • A fix to the display of the popularity score in the public catalog.
  • A fix to the return to grouped search results link in the public catalog.
  • A fix to allow pre-cat checkouts in the web staff client without requiring a circulation modifier.
  • A fix to how Action/Trigger event definitions with nullable grouping fields handle null values.
  • Other typo and documentation fixes.

Please visit the Evergreen download page to retrieve the latest releases and consult the release notes.

Leave a comment

Your email address will not be published. Required fields are marked *