[OPEN-ILS-DEV] SECURITY RELEASES – Evergreen 2.3.6, 2.2.8, and 2.1.6

Robin H. Johnson rjohnson at sitka.bclibraries.ca
Wed Apr 17 17:00:37 EDT 2013


On Wed, Apr 17, 2013 at 12:31:50PM -0700, Galen Charlton wrote:
...
> THESE RELEASES CONTAIN SECURITY UPDATES. We strongly recommend that
> you upgrade as soon as possible.
> 
> The pcrud, cstore, and rstore services are susceptible to an SQL
> injection attack.  Any user can potentially make arbitrary SQL run on
> the Evergreen database.
...
Can you confirm that applying just this commit to an existing 2.2 tree
and rebuilding the C drones will fix ths security issue?
http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=34c0a980a1a17b1d1649ede361533a9bcfc6e020

-- 
Robin Hugh Johnson
SITKA: Sysadmin
Phone: 1-855-383-5761 ext 1010
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85


More information about the Open-ils-dev mailing list