[OPEN-ILS-DEV] Security vulnerability in Evergreen 1.6: patch orupgrade advised

Duimovich, George George.Duimovich at NRCan-RNCan.gc.ca
Sun Jun 27 09:11:00 EDT 2010


Thanks Dan.

To clarify the upgrade instructions.

Say I'm on a 1.6.0.3 system -- could I go straight to run the 1.6.0.6 install, /BUT/ ensure that in step 5 "Upgrade the database" I carefully run the Step 5 SQL upgrade scripts in the order:

1.6.0.3 > 1.6.0.4
1.6.0.4 > 1.6.0.5
1.6.0.5 > 1.6.0.6

in lieu of running full upgrade steps times 3. Preliminary look at the note suggests yes, but just want to double check this strategy.

Thanks

George


-----Original Message-----
From: open-ils-dev-bounces at list.georgialibraries.org on behalf of Dan Scott
Sent: Sun 27/06/2010 1:05 AM
To: Evergreen Development Discussion List; Evergreen Discussion Group
Subject: [OPEN-ILS-DEV] Security vulnerability in Evergreen 1.6: patch orupgrade advised
 
On Thursday, June 17th, we realized that the open-ils.pcrud service,
which provides permission-protected access to Evergreen data in the 1.6
release series, was subject to a security vulnerability. The
vulnerability allows a user to access objects outside of the permissions
they have been granted by supplying fleshing arguments to the
open-ils.pcrud service.

By Thursday evening, a patch for the vulnerability had been committed to
Evergreen trunk, and by Friday evening that patch had been backported to
the 1.6.0 branch. The Evergreen 1.6.0.6 security release was uploaded on
Tuesday June 22, and it took until late Friday June 26 to write up the
upgrade instructions, release notes, and update the downloads page for
the http://evergreen-ils.org Web site.

Today, we worked out how to apply just the security fix to a running
system, so that Evergreen libraries can close the vulnerability without
having to apply the full release upgrade. The procedure is as follows:

   1. Download the fixed file:
http://svn.open-ils.org/trac/ILS/export/16749/branches/rel_1_6_0/Open-ILS/src/c-apps/oils_cstore.c
   2. Copy oils_cstore.c over Open-ILS/src/c-apps/oils_cstore.c in the
source directory you used to install your Evergreen system
   3. Run 'make' to compile the updated libraries
   4. Install the chrpath tool ("aptitude install chrpath")
   5. Run "chrpath -d Open-ILS/src/c-apps/.libs/oils_pcrud.so" to enable
the library to link to the appropriate location
   6. Copy Open-ILS/src/c-apps/.libs/oils_pcrud.so.* to /openils/lib/.
   7. Restart the Evergreen C services by running 'osrf_ctl.sh -a
restart_c'

If you are running Evergreen 1.6, we recommend that you apply this
security fix as soon as possible, then upgrade to the latest release
(1.6.0.6) when you have an opportunity. Evergreen sites running releases
prior to 1.6 are not affected by this vulnerability.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 4332 bytes
Desc: not available
Url : http://libmail.georgialibraries.org/pipermail/open-ils-dev/attachments/20100627/b7d7f58d/attachment.bin 


More information about the Open-ils-dev mailing list