[OPEN-ILS-GENERAL] Evergreen security releases: 2.0.10 and 1.6.1.9

Dan Scott dan at coffeecode.net
Wed Oct 5 16:05:37 EDT 2011


On Wed, Oct 05, 2011 at 10:18:04AM -0400, Dan Scott wrote:
> Today, the Evergreen development team released Evergreen 2.0.10 and
> 1.6.1.9 - available from the downloads page at
> http://evergreen-ils.org/downloads - to address several security
> vulnerabilities and a handful of bug fixes. This post discusses the
> security vulnerabilities. If you are running Evergreen in production
> today, we encourage you to upgrade your Evergreen system to 1.6.1.9 or
> 2.0.10 as soon as possible.

Note that I have written up a brief guide for addressing the worst of
the security vulnerabilities by updating oils_auth.so as a comment to
the blog post that announced this release. The process that I have
documented can be applied to a running system - I tested it on Conifer
with no ill effects - so if you're not in the mood for doing a complete
upgrade of your system, you can at least patch the password
brute-forcing vulnerability with 10 minutes or less of work:

The comment with the step-by-step process is at
http://evergreen-ils.org/blog/?p=687&cpage=1#comment-54959



More information about the Open-ils-general mailing list