[OPEN-ILS-GENERAL] Upcoming Evergreen and OpenSRF security releases

Galen Charlton gmc at equinoxinitiative.org
Thu Feb 16 11:22:45 EST 2017


Hi,

Later today we will be releasing security updates for Evergreen and
OpenSRF. We recommend that Evergreen users be prepared to install them
as soon as possible.

The Evergreen security issue only affects users of a certain credit
card payment processor, and the fix can be implemented by running two
SQL statements; a full upgrade is not required.

The OpenSRF security issue is more serious and can be used by
attackers to perform a denial of service attack and potentially bypass
standard authentication.  Consequently, we recommend that users
upgrade to OpenSRF 2.4.2 as soon as it is released.

If you are currently using OpenSRF 2.4.0 or OpenSRF 2.4.1, the upgrade
will consist of the following steps:

- downloading and compiling OpenSRF 2.4.2
- running the 'make install' step
- restarting Evergreen services

If you are currently running a version of OpenSRF that is older than
2.4.0, we strongly recommend upgrading to 2.4.2; note that it will
also be necessary to recompile Evergreen.

There will also be an second beta release of OpenSRF 2.5 that will
include the security fix.

Regards,

Galen
-- 
Galen Charlton
Infrastructure and Added Services Manager
Equinox Open Library Initiative
phone:  1-877-OPEN-ILS (673-6457)
email:  gmc at equinoxInitiative.org
web:  https://equinoxInitiative.org
direct: +1 770-709-5581
cell:   +1 404-984-4366


More information about the Open-ils-general mailing list