[open-ils-commits] [GIT] Evergreen ILS branch master updated. 9af4ae71accb41107f7d6c50950c3b42c664546f

Evergreen Git git at git.evergreen-ils.org
Thu Feb 16 17:01:36 EST 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, master has been updated
       via  9af4ae71accb41107f7d6c50950c3b42c664546f (commit)
      from  c9af31b7b3a46101bd73bfc0a794b488e1090282 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9af4ae71accb41107f7d6c50950c3b42c664546f
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Thu Feb 16 12:53:45 2017 -0500

    release notes for 2.10.10
    
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/docs/RELEASE_NOTES_2_10.adoc b/docs/RELEASE_NOTES_2_10.adoc
index ad36a57..f438f15 100644
--- a/docs/RELEASE_NOTES_2_10.adoc
+++ b/docs/RELEASE_NOTES_2_10.adoc
@@ -3,6 +3,85 @@ Evergreen 2.10 Release Notes
 :toc:
 :numbered:
 
+Evergreen 2.10.10
+-----------------
+This is a security release that also contains several other bugfixes improving
+on Evergreen 2.10.9.  All users of Evergreen 2.10.x are recommended to upgrade
+to 2.10.10 as soon as possible.
+
+Security Issue: Credit Processor Stripe Settings Permissions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Unprivileged users can retrieve organizational unit setting values for
+setting types lacking a "view" permission.  When the feature adding
+Stripe credit card processing was added, the upgrade script neglected
+to add the VIEW_CREDIT_CARD_PROCESSING permission to the
+organizational unit setting type.  This means that anyone can retrieve
+and view the settings for Stripe credit card processing.
+
+Any system that upgraded from Evergreen version 2.5 to 2.6 is
+affected.  If you use Stripe for credit card processing, it is
+strongly recommended that you apply this upgrade.  Even if you do not
+use Stripe, applying this upgrade is still recommended.  If you did
+not upgrade from version 2.5 to 2.6 of Evergreen, but started with a
+later version, applying this upgrade is harmless.
+
+If you are not ready to perform a full upgrade, and if you use Stripe,
+you can protect the settings by running the following two SQL statements:
+
+[source,sql]
+----
+UPDATE config.org_unit_setting_type
+    SET view_perm = (SELECT id FROM permission.perm_list
+        WHERE code = 'VIEW_CREDIT_CARD_PROCESSING' LIMIT 1)
+    WHERE name LIKE 'credit.processor.stripe%' AND view_perm IS NULL;
+
+UPDATE config.org_unit_setting_type
+    SET update_perm = (SELECT id FROM permission.perm_list
+        WHERE code = 'ADMIN_CREDIT_CARD_PROCESSING' LIMIT 1)
+    WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL;
+----
+
+Other Fixes
+~~~~~~~~~
+Evergreen 2.10.10 also contains the following bugfixes:
+
+* A fix to correctly apply floating group settings when performing
+no-op checkins.
+* A fix to the HTML coding of the temporary lists page.
+* A fix of a problem where certain kinds of requests of information
+about the organizational unit hierarchy to consume all available
+`open-ils.cstore` backends.
+* A fix to allow staff to use the 'place another hold' link without
+running into a user interface loop.
+* A fix to the 'Edit Due Date' form in the web staff client.
+* A fix to sort billing types and non-barcoded item types in alphabetical
+order in the web staff client.
+* A fix to the 'return to grouped search results' link in the public
+catalog.
+* A fix to allow pre-cat checkouts in the web staff client without requiring
+a circulation modifier.
+* Other typo and documentation fixes.
+
+Acknowledgements
+~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+testing and documentation patches to the 2.10.10 point release of
+Evergreen:
+
+* Ben Shum
+* Bill Erickson
+* Blake Henderson
+* Chris Sharp
+* Christine Burns
+* Galen Charlton
+* Jane Sandberg
+* Jason Stephenson
+* Jeanette Lundgren
+* Josh Stompro
+* Kathy Lussier
+* Kyle Huckins
+* Mike Rylander
+
 Evergreen 2.10.9
 ----------------
 

-----------------------------------------------------------------------

Summary of changes:
 docs/RELEASE_NOTES_2_10.adoc |   79 ++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 79 insertions(+), 0 deletions(-)


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list