[open-ils-commits] [GIT] Evergreen ILS branch rel_2_7 updated. 6a14ec18e7d6dca97dcb5e551452051b9ee32aa4
Evergreen Git
git at git.evergreen-ils.org
Mon May 4 09:42:47 EDT 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_7 has been updated
via 6a14ec18e7d6dca97dcb5e551452051b9ee32aa4 (commit)
from bb112c5a108bc7208fe321f7af6e2c524a91dd74 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6a14ec18e7d6dca97dcb5e551452051b9ee32aa4
Author: Ben Shum <bshum at biblio.org>
Date: Fri May 1 14:09:01 2015 -0400
Docs - Add security note for 2.7.5
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/docs/RELEASE_NOTES_2_7.txt b/docs/RELEASE_NOTES_2_7.txt
index 12d3bef..bdd6b17 100644
--- a/docs/RELEASE_NOTES_2_7.txt
+++ b/docs/RELEASE_NOTES_2_7.txt
@@ -379,8 +379,62 @@ http://sitemaps.org specification, including:
Bug Fixes
---------
-IMPORTANT SECURITY INFORMATION
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+IMPORTANT SECURITY INFORMATION - 2.7.5
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+For users of Apache version 2.4, a serious security flaw that allows
+unauthorized remote access to reporter output and potentially other
+sensitive data is fixed in the following releases of Evergreen: 2.6.8,
+2.7.5, and 2.8.1. All prior releases of Evergreen are vulnerable to
+exploitation of this flaw to reveal sensitive system information. If
+you are running a vulnerable release of Evergreen you are *strongly*
+encouraged to upgrade to a non-vulnerable release as soon as possible.
+
+Apache version 2.2 is not affected.
+
+In addition to upgrading Evergreen, a configuration change is required
+for users of Apache version 2.4. Any <Location> or <Directory>, etc.
+configuration section in the /etc/apache2/eg_vhost.conf (debian/ubuntu)
+file which contains "PerlAuthenHandler OpenILS::WWW::Proxy::Authen"
+should be edited. For each, remove the line reading "Require all
+granted".
+
+For example, this section:
+
+[source,conf]
+----------------------------------------------------------------------------
+<Location /collections>
+ SetHandler perl-script
+ AuthType Basic
+ AuthName "Collections Login"
+ PerlOptions +GlobalRequest
+ PerlSetVar OILSProxyPermissions "money.collections_tracker.create"
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ Require valid-user
+ Options +ExecCGI
+ PerlSendHeader On
+ Require all granted
+</Location>
+----------------------------------------------------------------------------
+
+Should have its final line removed and be changed to:
+
+[source,conf]
+----------------------------------------------------------------------------
+<Location /collections>
+ SetHandler perl-script
+ AuthType Basic
+ AuthName "Collections Login"
+ PerlOptions +GlobalRequest
+ PerlSetVar OILSProxyPermissions "money.collections_tracker.create"
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ Require valid-user
+ Options +ExecCGI
+ PerlSendHeader On
+</Location>
+----------------------------------------------------------------------------
+
+IMPORTANT SECURITY INFORMATION - 2.7.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A serious security flaw that allows unauthorized remote access to
organizational unit settings is fixed in the following releases of
Evergreen: 2.5.9, 2.6.7, and 2.7.4. All prior releases of Evergreen
-----------------------------------------------------------------------
Summary of changes:
docs/RELEASE_NOTES_2_7.txt | 58 ++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 56 insertions(+), 2 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list