<div dir="ltr">
<p>The Evergreen Project announces security releases for Evergreen and OpenSRF.</p>
<p>The Evergreen releases are:</p>
<ul><li>3.10.5</li><li>3.11.6</li><li>3.12.4</li><li>3.13.1</li></ul>
<p>The Evergreen releases include fixes for the following issues:</p>
<ul><li>Two reflected XSS (cross-site scripting) vulnerabilities that would
permit allowing executing arbitrary JavaScript by the user’s web browser</li><li>An insecure direct object reference (IDOR) vulnerability that allows
for constructing URLs that can access arbitrary Action Trigger event
output, including data related to patron circulation notices</li></ul>
<p>The IDOR vulnerability is considered critical; all Evergreen sites
are recommended to upgrade or apply the fixes as soon as possible.</p>
<p>The OpenSRF releases are:</p>
<ul><li>3.2.5</li><li>3.3.1</li></ul>
<p>The OpenSRF releases fix a buffer overflow and a race condition that
can crash Perl services. There are no known exploits for either issue,
but Evergreen sites are nonetheless recommended to upgrade OpenSRF.</p>
<p>Additional information, including the new releases and release notes
with instructions for applying the fixes, can be found on the downloads
pages for <a href="https://evergreen-ils.org/egdownloads">Evergreen</a> and <a href="https://evergreen-ils.org/opensrf-downloads">OpenSRF</a>.</p>
<br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Galen Charlton<br>Implementation and IT Manager<br>Equinox Open Library Initiative<br><a href="mailto:gmc@equinoxOLI.org" target="_blank">gmc@equinoxOLI.org</a><br><a href="https://www.equinoxOLI.org" target="_blank">https://www.equinoxOLI.org</a> <br>phone: 877-OPEN-ILS (673-6457)<br>direct: 770-709-5581<br><a href="http://evergreen-ils.org" target="_blank"></a></div></div></div>