[OPEN-ILS-DEV] Evergreen security releases: 2.0.10 and 1.6.1.9
Dan Scott
dan at coffeecode.net
Wed Oct 5 16:05:37 EDT 2011
On Wed, Oct 05, 2011 at 10:18:04AM -0400, Dan Scott wrote:
> Today, the Evergreen development team released Evergreen 2.0.10 and
> 1.6.1.9 - available from the downloads page at
> http://evergreen-ils.org/downloads - to address several security
> vulnerabilities and a handful of bug fixes. This post discusses the
> security vulnerabilities. If you are running Evergreen in production
> today, we encourage you to upgrade your Evergreen system to 1.6.1.9 or
> 2.0.10 as soon as possible.
Note that I have written up a brief guide for addressing the worst of
the security vulnerabilities by updating oils_auth.so as a comment to
the blog post that announced this release. The process that I have
documented can be applied to a running system - I tested it on Conifer
with no ill effects - so if you're not in the mood for doing a complete
upgrade of your system, you can at least patch the password
brute-forcing vulnerability with 10 minutes or less of work:
The comment with the step-by-step process is at
http://evergreen-ils.org/blog/?p=687&cpage=1#comment-54959
More information about the Open-ils-dev
mailing list