[OPEN-ILS-GENERAL] Evergreen 2.2.0, 2.1.2 rc2, and 2.0.12 released - with SECURITY fixes

[Lebbeous Fogle-Weekley]

Evergreen 2.2.0, 2.1.2 rc2, and 2.0.12 released - with SECURITY fixes
( Web-formatted version of this announcement:
   http://evergreen-ils.org/blog/?p=776 )


I would like to announce the long awaited Evergreen 2.2.0, the first 
official, stable release with the new Template Toolkit OPAC, and a whole 
passel of other new features.

You can download it now!  http://evergreen-ils.org/downloads.php

The release notes for 2.2.0 are here: 
http://evergreen-ils.org/documentation/release/RELEASE_NOTES_2_2_0.html

2.1.2 rc2 and 2.0.12 are also announced (thanks to Dan Scott and Jason 
Stephenson, respectively).

2.0.12 is a security update only, and contains no new features.

The technical changelog for 2.2.0 is here:
http://open-ils.org/downloads/ChangeLog-2.1-2.2.0


THESE RELEASES CONTAINS SECURITY UPDATES, so you will want to upgrade as 
soon as possible.

Upgrading to the latest release in your series (2.2, 2.1, or 2.0) is 
sufficient to protect your site with these security updates:

1) Give away less information with the LOGIN_FAILURE event
2) Prevent deleted and barred users from logging in at all.
3) Require the UPDATE_MARC permission rather than only the CREATE_MARC 
permission for users to update biblio graphic records.

More information about the security updates can be found in the ChangeLog.

If you don't wish to upgrade outright to the latest version, sites 
running any 2.0, 2.1, or 2.2 code today can get the benefit of the 
security updates by following these steps:

1. Download the Evergreen 2.2.0, 2.1.2-rc2, or 2.0.12 release tarball; 
whichever belongs to the release series you're currently running.
2. Untar the tarball
3. In the source directory, run ./configure --prefix=/openils 
--sysconf=/openils/conf && make to build the libraries
4. Install the chrpath tool (aptitude install chrpath on Debian / Ubuntu 
systems)
5. Run "chrpath -d Open-ILS/src/c-apps/.libs/oils_auth.so" to enable the 
library to link to the appropriate location
6. Copy your existing oils_auth.so library to a safe location; for 
example, "cp /openils/lib/oils_auth.so /openils/oils_auth.so.20120613"
7. Copy your new oils_auth.so library into place: cp 
Open-ILS/src/c-apps/.libs/oils_auth.so /openils/lib/.
8. As the root user, run ldconfig to refresh your dynamic linking cache.

9. As the root user:
     a. Find the location of Cat.pm running on your system. For systems 
running Evergreen 2.1 and up, this looks something like 
/usr/local/share/perl/5.10.1/OpenILS/Application/Cat.pm, but the Perl 
version number could vary by system.  For systems running 2.0.x, this is 
likely /openils/lib/perl5/OpenILS/Application/Cat.pm .
     b. Open the file in a text editor and find a line exactly like this:

     return $e->die_event unless $e->allowed('CREATE_MARC', 
$e->requestor->ws_ou);

     c. Replace 'CREATE_MARC' with 'UPDATE_MARC'.
     d. Save your changes.

10. Restart your OpenSRF services: osrf_ctl.sh -a restart_all (NOTE: you 
may require the -l flag on that command, depending on your system).

* To slightly paraphrase Galen Charlton who once referred to similar 
instructions for a previous security update:
Note that /openils/lib/oils_auth.so is normally a symbolic link to 
oils_auth.so.2.0.0. When applying Dan's fix procedure, make sure that 
the final result has all versions of the file name oils_auth.so[.*] 
pointing to the same shared object.

-- 
Lebbeous Fogle-Weekley
  | Software Developer
  | Equinox Software, Inc. / Your Library's Guide to Open Source
  | phone:  1-877-OPEN-ILS (673-6457)
  | email:  lebbeous at esilibrary.com
  | web:  http://www.esilibrary.com