[Evergreen-dev] June 2024 Evergreen and OpenSRF Security releases
Galen Charlton
gmc at equinoxoli.org
Wed Jun 26 17:46:07 EDT 2024
The Evergreen Project announces security releases for Evergreen and OpenSRF.
The Evergreen releases are:
- 3.10.5
- 3.11.6
- 3.12.4
- 3.13.1
The Evergreen releases include fixes for the following issues:
- Two reflected XSS (cross-site scripting) vulnerabilities that would
permit allowing executing arbitrary JavaScript by the user’s web browser
- An insecure direct object reference (IDOR) vulnerability that allows
for constructing URLs that can access arbitrary Action Trigger event
output, including data related to patron circulation notices
The IDOR vulnerability is considered critical; all Evergreen sites are
recommended to upgrade or apply the fixes as soon as possible.
The OpenSRF releases are:
- 3.2.5
- 3.3.1
The OpenSRF releases fix a buffer overflow and a race condition that can
crash Perl services. There are no known exploits for either issue, but
Evergreen sites are nonetheless recommended to upgrade OpenSRF.
Additional information, including the new releases and release notes with
instructions for applying the fixes, can be found on the downloads pages
for Evergreen <https://evergreen-ils.org/egdownloads> and OpenSRF
<https://evergreen-ils.org/opensrf-downloads>.
--
Galen Charlton
Implementation and IT Manager
Equinox Open Library Initiative
gmc at equinoxOLI.org
https://www.equinoxOLI.org
phone: 877-OPEN-ILS (673-6457)
direct: 770-709-5581
<http://evergreen-ils.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.evergreen-ils.org/pipermail/evergreen-dev/attachments/20240626/44eedfa2/attachment.htm>
More information about the Evergreen-dev
mailing list