Wed Mar 28 15:12:44 EDT 2018

The branch, rel_3_0 has been updated
       via  c936692a2627630437a3422b7be15cc4c82f554a (commit)
       via  a0b4d9887ccd83c031c42568d2bc826c60591aa0 (commit)
       via  467530e2098646ae2797c6ce263b896a91034b96 (commit)
       via  6554ee5448d1112fcbd8121dcb53fb1726182baf (commit)
       via  facbf340beb258bbe065e1f44326c09268da1e7f (commit)
       via  9d7b19f77d0ba1c2d898f0e73b3d8fa82331950f (commit)
      from  373cce64eafebd4b90bf040cf91f5b464540c057 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

commit c936692a2627630437a3422b7be15cc4c82f554a
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Wed Mar 28 10:40:59 2018 -0400

    2.12.11-2.12.12 schema update
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

commit a0b4d9887ccd83c031c42568d2bc826c60591aa0
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Wed Mar 28 10:38:59 2018 -0400

    3.0.5-3.0.6 schema update
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

commit 467530e2098646ae2797c6ce263b896a91034b96
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Wed Mar 28 10:14:41 2018 -0400

    release notes for Evergreen 2.12.12
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

+Evergreen 2.12.12
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog.
+Security Issue: XSS Vulnerability in Public Catalog
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+* `Open-ILS/src/templates/opac/parts/record/contents.tt2`
+* `Open-ILS/src/templates/opac/parts/record/copy_counts.tt2`
+* `Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2`
+Note that exploiting the XSS vulnerabilities fixed in this release
+would require either the ability to create maliciously-constructed
+MARC bibliographic or holdings records or the ability to set a
+maliciously constructed organizational unit name.
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 2.12.12 security release of
+* Galen Charlton
+* Dan Scott
+* Chris Sharp
 Evergreen 2.12.11
 This release contains bug fixes improving on Evergreen 2.12.10:

commit 6554ee5448d1112fcbd8121dcb53fb1726182baf
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Wed Mar 28 10:29:12 2018 -0400

    release notes for Evergreen 3.0.6
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

+Evergreen 3.0.6
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog. This release
+also includes several other bugfixes improving on Evergreen 3.0.5.
+Security Issue: XSS Vulnerability in Public Catalog
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+* `Open-ILS/src/templates/opac/parts/record/contents.tt2`
+* `Open-ILS/src/templates/opac/parts/record/copy_counts.tt2`
+* `Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2`
+Note that exploiting the XSS vulnerabilities fixed in this release
+would require either the ability to create maliciously-constructed
+MARC bibliographic or holdings records or the ability to set a
+maliciously constructed organizational unit name.
+Other Bugfixes
+Evergreen 3.0.6 also includes the following changes:
+* When using 'Selection Lists -> Edit MARC Order Record' in the web
+  staff client, now only one click is required to save the MARC
+  record rather than two.
+* The volume/copy editor in the web staff client now better handles
+  editing multiple items that have different sets of statistical
+  category values assigned to them.
+* The act of merging bibliographic records now updates bookbags
+  that referred to the source bibliographic record rather than
+  effectively deleting entries for that record.
+* Additional columns were added to the Holds Pull List in the
+  web staff client.
+* The patron registration form in the web staff client now correctly
+  manages setting user preferences.
+* An error in a pgTAP unit test was corrected.
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 3.0.6 security release of
+* Galen Charlton
+* Bill Erickson
+* Rogan Hamby
+* Kathy Lussier
+* Terran McCanna
+* Andrea Neiman
+* Mike Rylander
+* Dan Scott
+* Chris Sharp
+* Cesar Velez
 Evergreen 3.0.5
 This release contains bug fixes improving on Evergreen 3.0.4.

commit facbf340beb258bbe065e1f44326c09268da1e7f
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Tue Mar 27 16:30:35 2018 -0400

    LP#1757526: escape more catalog data (MFHD edition)
    This patch ensures that data derived from MFHDs is escaped
    for in the issues held tab on the public catalog record display
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
    Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

commit 9d7b19f77d0ba1c2d898f0e73b3d8fa82331950f
Author: Dan Scott <dscott at laurentian.ca>
Date:   Wed Mar 21 22:08:35 2018 +0100

    LP1757526 Escape displayed catalogue data
    Content in content fields (5xx) as well as for the names of locations in copy
    count alt text was not being properly escaped, allowing for the possibility of
    executing arbitrary JavaScript in the case of a malicious catalogue record
    (whether edited in the system, or imported)
    Signed-off-by: Dan Scott <dscott at laurentian.ca>
    Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

