[open-ils-commits] [GIT] Evergreen ILS branch rel_2_12 updated. 286abbcd8d72d6eb560f5a44f5e0400cef015780
Evergreen Git
git at git.evergreen-ils.org
Wed Mar 28 15:13:52 EDT 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_12 has been updated
via 286abbcd8d72d6eb560f5a44f5e0400cef015780 (commit)
via fdc72a782f6471205471588c1b585b657a1fe555 (commit)
via c51e12673204e9fbeee8da3d1e7907275c804f29 (commit)
via 411307667f8fd4c4b4190760de2432036eb3a6e5 (commit)
via 95d73451efba7de6eb0d820bc781364133ba88f9 (commit)
from 6771a9425d6859a09f7d0d1d7fae21f1308b81cf (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 286abbcd8d72d6eb560f5a44f5e0400cef015780
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed Mar 28 10:44:18 2018 -0400
update upgrade instructions
diff --git a/docs/installation/server_upgrade.adoc b/docs/installation/server_upgrade.adoc
index 3d9912b..afdc05e 100644
--- a/docs/installation/server_upgrade.adoc
+++ b/docs/installation/server_upgrade.adoc
@@ -8,7 +8,7 @@ Software Prerequisites
* **PostgreSQL**: Version 9.4 is recommended.
The minimum supported version is 9.3.
- * **Linux**: Evergreen 2.12.11 has been tested on Debian Jessie (8.0),
+ * **Linux**: Evergreen 2.12.12 has been tested on Debian Jessie (8.0),
Debian Wheezy (7.0), Ubuntu Xenial Xerus (16.04),
and Ubuntu Trusty Tahr (14.04).
If you are running an older version of these distributions, you may want
@@ -44,12 +44,12 @@ osrf_control --localhost --stop-all
.. Back up the /openils directory.
. Upgrade OpenSRF. Download and install the latest version of OpenSRF from
the https://evergreen-ils.org/opensrf-downloads/[OpenSRF download page].
-. As the *opensrf* user, download and extract Evergreen 2.12.11:
+. As the *opensrf* user, download and extract Evergreen 2.12.12:
+
[source, bash]
-----------------------------------------------
-wget https://evergreen-ils.org/downloads/Evergreen-ILS-2.12.11.tar.gz
-tar xzf Evergreen-ILS-2.12.11.tar.gz
+wget https://evergreen-ils.org/downloads/Evergreen-ILS-2.12.12.tar.gz
+tar xzf Evergreen-ILS-2.12.12.tar.gz
-----------------------------------------------
+
[NOTE]
@@ -59,7 +59,7 @@ For the latest edition of Evergreen, check the https://evergreen-ils.org/egdownl
+
[source, bash]
---------------------------------------------
-cd /home/opensrf/Evergreen-ILS-2.12.11
+cd /home/opensrf/Evergreen-ILS-2.12.12
---------------------------------------------
+
On the next command, replace `[distribution]` with one of these values for your
@@ -83,7 +83,7 @@ make -f Open-ILS/src/extras/Makefile.install [distribution]
+
[source, bash]
------------------------------------------------------------
-cd /home/opensrf/Evergreen-ILS-2.12.11
+cd /home/opensrf/Evergreen-ILS-2.12.12
PATH=/openils/bin:$PATH ./configure --prefix=/openils --sysconfdir=/openils/conf
make
------------------------------------------------------------
@@ -94,8 +94,8 @@ These instructions assume that you have also installed OpenSRF under /openils/.
+
[source, bash]
------------------------------------------------------------
-cd /home/opensrf/Evergreen-ILS-2.12.11
-make STAFF_CLIENT_STAMP_ID=rel_2_12_11 install
+cd /home/opensrf/Evergreen-ILS-2.12.12
+make STAFF_CLIENT_STAMP_ID=rel_2_12_12 install
------------------------------------------------------------
+
. As the *root* user, change all files to be owned by the opensrf user and group:
@@ -111,7 +111,7 @@ chown -R opensrf:opensrf /openils
-----------------------------------------------------------
cd /openils/var/web/xul/
rm server
-ln -sf rel_2_12_11/server server
+ln -sf rel_2_12_12/server server
----------------------------------------------------------
+
. As the *opensrf* user, update opensrf_core.xml and opensrf.xml by copying the
@@ -131,7 +131,7 @@ Copying these configuration files will remove any customizations you have made t
+
[source, bash]
-------------------------------------------------------------------------
-cd /home/opensrf/Evergreen-ILS-2.12.11
+cd /home/opensrf/Evergreen-ILS-2.12.12
perl Open-ILS/src/support-scripts/eg_db_config --update-config --service all \
--create-offline --database evergreen --host localhost --user evergreen --password evergreen
-------------------------------------------------------------------------
@@ -155,21 +155,21 @@ The diff command can be used to show the differences between the distribution ve
+
[source, bash]
----------------------------------------------------------
-cp /home/opensrf/Evergreen-ILS-2.12.11/Open-ILS/examples/apache/eg_startup /etc/apache2/eg_startup
+cp /home/opensrf/Evergreen-ILS-2.12.12/Open-ILS/examples/apache/eg_startup /etc/apache2/eg_startup
----------------------------------------------------------
+
.. Update /etc/apache2/eg_vhost.conf by copying the example from Open-ILS/examples/apache/eg_vhost.conf.
+
[source, bash]
----------------------------------------------------------
-cp /home/opensrf/Evergreen-ILS-2.12.11/Open-ILS/examples/apache/eg_vhost.conf /etc/apache2/eg_vhost.conf
+cp /home/opensrf/Evergreen-ILS-2.12.12/Open-ILS/examples/apache/eg_vhost.conf /etc/apache2/eg_vhost.conf
----------------------------------------------------------
+
.. Update /etc/apache2/sites-available/eg.conf by copying the example from Open-ILS/examples/apache/eg.conf.
+
[source, bash]
----------------------------------------------------------
-cp /home/opensrf/Evergreen-ILS-2.12.11/Open-ILS/examples/apache/eg.conf /etc/apache2/sites-available/eg.conf
+cp /home/opensrf/Evergreen-ILS-2.12.12/Open-ILS/examples/apache/eg.conf /etc/apache2/sites-available/eg.conf
----------------------------------------------------------
Upgrade the Evergreen database schema
@@ -237,13 +237,14 @@ would run the following upgrade scripts:
- 2.12.8-2.12.9-upgrade-db.sql
- 2.12.9-2.12.10-upgrade-db.sql
- 2.12.10-2.12.11-upgrade-db.sql
+- 2.12.11-2.12.12-upgrade-db.sql
Note that you do *not* want to run additional 2.5 scripts to upgrade to the
newest version of 2.5, since currently there is no automated way to upgrade
from 2.5.4+ to 2.6. Only upgrade as far as necessary to reach the major
version upgrade script (in this example, as far as 2.5.3).
-To upgrade across multiple major versions (e.g. from 2.3.0 to 2.12.11), use
+To upgrade across multiple major versions (e.g. from 2.3.0 to 2.12.12), use
the same logic to utilize the provided major version upgrade scripts. For
example:
@@ -265,7 +266,7 @@ example:
- 2.10.7-2.11.0-upgrade-db.sql
- (run all incremental scripts from 2.11.0 to 2.11.3)
- 2.11.3-2.12.0-upgrade-db.sql
-- (run all incremental scripts from 2.12.0 to 2.12.11)
+- (run all incremental scripts from 2.12.0 to 2.12.12)
=============
@@ -280,8 +281,8 @@ as a user with the ability to connect to the database server.
[source, bash]
----------------------------------------------------------
-cd /home/opensrf/Evergreen-ILS-2.12.11/Open-ILS/src/sql/Pg
-psql -U evergreen -h localhost -f version-upgrade/2.12.10-2.12.11-upgrade-db.sql evergreen
+cd /home/opensrf/Evergreen-ILS-2.12.12/Open-ILS/src/sql/Pg
+psql -U evergreen -h localhost -f version-upgrade/2.12.11-2.12.12-upgrade-db.sql evergreen
----------------------------------------------------------
[TIP]
commit fdc72a782f6471205471588c1b585b657a1fe555
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed Mar 28 10:40:59 2018 -0400
2.12.11-2.12.12 schema update
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/sql/Pg/version-upgrade/2.12.11-2.12.12-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/2.12.11-2.12.12-upgrade-db.sql
new file mode 100644
index 0000000..48fe1a7
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/2.12.11-2.12.12-upgrade-db.sql
@@ -0,0 +1,5 @@
+--Upgrade Script for 2.12.11 to 2.12.12
+\set eg_version '''2.12.12'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('2.12.12', :eg_version);
+COMMIT;
commit c51e12673204e9fbeee8da3d1e7907275c804f29
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed Mar 28 10:14:41 2018 -0400
release notes for Evergreen 2.12.12
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/docs/RELEASE_NOTES_2_12.adoc b/docs/RELEASE_NOTES_2_12.adoc
index fddb133..a35667f 100644
--- a/docs/RELEASE_NOTES_2_12.adoc
+++ b/docs/RELEASE_NOTES_2_12.adoc
@@ -3,6 +3,39 @@ Evergreen 2.12 Release Notes
:toc:
:numbered:
+Evergreen 2.12.12
+-----------------
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/record/contents.tt2`
+* `Open-ILS/src/templates/opac/parts/record/copy_counts.tt2`
+* `Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2`
+
+Note that exploiting the XSS vulnerabilities fixed in this release
+would require either the ability to create maliciously-constructed
+MARC bibliographic or holdings records or the ability to set a
+maliciously constructed organizational unit name.
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 2.12.12 security release of
+Evergreen:
+
+* Galen Charlton
+* Dan Scott
+* Chris Sharp
+
Evergreen 2.12.11
-----------------
This release contains bug fixes improving on Evergreen 2.12.10:
commit 411307667f8fd4c4b4190760de2432036eb3a6e5
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Tue Mar 27 16:30:35 2018 -0400
LP#1757526: escape more catalog data (MFHD edition)
This patch ensures that data derived from MFHDs is escaped
for in the issues held tab on the public catalog record display
page.
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2 b/Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2
index ced0ec6..bd6bb97 100644
--- a/Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2
@@ -20,7 +20,7 @@
NEXT UNLESS serial.$type.size;
IF !printed_mfhd_header; %]
<tr>
- <td class="rdetail-mfhd-head" colspan="2">[% l('Holdings summary ([_1])', serial.location) %]</td>
+ <td class="rdetail-mfhd-head" colspan="2">[% l('Holdings summary ([_1])', serial.location) | html %]</td>
</tr>
[% printed_mfhd_header = 1;
END; %]
@@ -28,7 +28,7 @@
<td class="rdetail-mfhd-type">[% mfhd.$type %]</td>
<td class="rdetail-mfhd-contents">[%
FOR thing IN serial.$type;
- thing.join(", ");
+ thing.join(", ") | html;
END %]</td>
</tr>
[% END;
commit 95d73451efba7de6eb0d820bc781364133ba88f9
Author: Dan Scott <dscott at laurentian.ca>
Date: Wed Mar 21 22:08:35 2018 +0100
LP1757526 Escape displayed catalogue data
Content in content fields (5xx) as well as for the names of locations in copy
count alt text was not being properly escaped, allowing for the possibility of
executing arbitrary JavaScript in the case of a malicious catalogue record
(whether edited in the system, or imported)
Signed-off-by: Dan Scott <dscott at laurentian.ca>
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/templates/opac/parts/record/contents.tt2 b/Open-ILS/src/templates/opac/parts/record/contents.tt2
index 29fc33b..50ae616 100644
--- a/Open-ILS/src/templates/opac/parts/record/contents.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/contents.tt2
@@ -170,8 +170,7 @@ BLOCK render_contents;
all_content.push(subfield.textContent);
END;
total_contents = all_content.join(" ").replace('\s+$', '');
- %] [% total_contents;
- IF total_contents.size; "<br/>"; END;
+ %] [% "<div class='content_field'>"; total_contents | html ; "</div>";
FOREACH link880 IN graphics;
'<div class="graphic880"' _ link880.dir _ '>';
link880.value | html;
diff --git a/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2 b/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
index eee85e8..e6e783f 100644
--- a/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
@@ -23,7 +23,7 @@
[%- this_depth = ctx.get_aou(ou_id).ou_type.depth;
IF ou_count > 0 && this_depth != ctx.copy_depth %]
<a href="[% mkurl('', {copy_depth => this_depth}, ['copy_offset']); %]"
- title="[% l('Show copies at [_1]', ou_name); %]">
+ title="[% l('Show copies at [_1]', ou_name) | html; %]">
[%- l('(Show)'); %]</a>
[%- END; %]
</li>
@@ -43,7 +43,7 @@
attrs.plib_copy_counts.$depth.count,
ou_name) | html
%] <a href="[% mkurl('', {locg => ou_id}, ['copy_offset']); %]"
- title="[% l('Show copies at [_1]', ou_name); %]">[%
+ title="[% l('Show copies at [_1]', ou_name) | html; %]">[%
l('(Show preferred library)');
%]</a></li>
[%- END %]
-----------------------------------------------------------------------
Summary of changes:
.../version-upgrade/2.12.11-2.12.12-upgrade-db.sql | 5 +++
.../src/templates/opac/parts/record/contents.tt2 | 3 +-
.../templates/opac/parts/record/copy_counts.tt2 | 4 +-
.../templates/opac/parts/record/issues-mfhd.tt2 | 4 +-
docs/RELEASE_NOTES_2_12.adoc | 33 ++++++++++++++++++
docs/installation/server_upgrade.adoc | 35 ++++++++++---------
6 files changed, 61 insertions(+), 23 deletions(-)
create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/2.12.11-2.12.12-upgrade-db.sql
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list