[OPEN-ILS-GENERAL] [OPEN-ILS-DEV] Evergreen security releases: 2.0.10 and 1.6.1.9

Anoop Atre anoop.atre at mnsu.edu
Thu Oct 6 17:24:33 EDT 2011


UPDATE: 2011-10-06 [from Dan Scott]

Unfortunately, we discovered a problem with the brute force fix that 
could lead to incorrect authentication failures. The problem was most 
evident in multi-brick environments, but could occur in any environment 
with more than one open-ils.auth child processing authentication 
requests. Consequently, we have released updated versions of the 
security fix releases, along with an updated version of the 2.1.0 
release; the only difference in these tarballs is an updated version of 
oils_auth.c. The names of the releases are as follows and can be 
downloaded from the Evergreen downloads page as usual:

     * 2.1.0a
     * 2.0.10a
     * 1.6.1.9a

Sites that have not yet upgraded to the announced security release are 
advised to upgrade to the “a” version of the release. Sites that have 
upgraded to the announced security release are advised to simply replace 
the oils_auth.so shared library, as described in the comment to the blog 
post by Dan Scott [1], using the “a” version of the release. The staff 
clients provided for the security release will continue to work with the 
fixed “a” version of the release.

[1] http://evergreen-ils.org/blog/?p=687

~

On 10/06/2011 07:24 AM, Peters, Michael wrote:
> Dan,
>
> Thanks so much for this.   Much appreciated.
>
> Sincerely,
> Michael Peters
> Indiana State Library MIS | Inspire.IN.gov Helpdesk | Evergreen Indiana Helpdesk
> office - 317.234.2128
> email - mrpeters at library.in.gov
>
>
> -----Original Message-----
> From: open-ils-dev-bounces at list.georgialibraries.org [mailto:open-ils-dev-bounces at list.georgialibraries.org] On Behalf Of Dan Scott
> Sent: Wednesday, October 05, 2011 4:06 PM
> To: open-ils-general at list.georgialibraries.org; open-ils-dev at list.georgialibraries.org
> Subject: Re: [OPEN-ILS-DEV] Evergreen security releases: 2.0.10 and 1.6.1.9
>
> On Wed, Oct 05, 2011 at 10:18:04AM -0400, Dan Scott wrote:
>> Today, the Evergreen development team released Evergreen 2.0.10 and
>> 1.6.1.9 - available from the downloads page at
>> http://evergreen-ils.org/downloads - to address several security
>> vulnerabilities and a handful of bug fixes. This post discusses the
>> security vulnerabilities. If you are running Evergreen in production
>> today, we encourage you to upgrade your Evergreen system to 1.6.1.9 or
>> 2.0.10 as soon as possible.
>
> Note that I have written up a brief guide for addressing the worst of
> the security vulnerabilities by updating oils_auth.so as a comment to
> the blog post that announced this release. The process that I have
> documented can be applied to a running system - I tested it on Conifer
> with no ill effects - so if you're not in the mood for doing a complete
> upgrade of your system, you can at least patch the password
> brute-forcing vulnerability with 10 minutes or less of work:
>
> The comment with the step-by-step process is at
> http://evergreen-ils.org/blog/?p=687&cpage=1#comment-54959
>


-- 

Anoop Atre
IS Developer & Integrator, PALS
PH: 507.389.5060
OF: 3022 Memorial Library (Office-ML 3022)
-- 
"Mit der Dummheit kämpfen Götter selbst vergebens"
  ~ Johann Christoph Friedrich von Schiller


More information about the Open-ils-general mailing list