[OPEN-ILS-GENERAL] Evergreen security releases: 3.1.15, 3.2.9, 3.3.4, and 3.4-beta2

Galen Charlton gmc at equinoxinitiative.org
Thu Sep 19 16:47:28 EDT 2019 

On behalf of the Evergreen contributors, we are pleased to announce the
release of Evergreen 3.1.15, 3.2.9, 3.3.4, and 3.4-beta2.

The new releases can be downloaded from:

http://evergreen-ils.org/egdownloads/

THESE RELEASES CONTAIN SECURITY UPDATES.

It is recommended that all Evergreen sites upgrade to one of the new
releases as soon as possible.

These releases fix two bugs related to cross-site scripting (XSS)
vulnerabilities in the public catalog.

Bug 1559239: Mitigates a potential risk of having a web page location
changed when opening a link in a new tab. Evergreen administrators should
review whether the following templates have been customized or overridden.
If so, either the template should be replaced with the stock version or the
rel="noopener" attribute added to all anchor (<a/>) tags with a
target="_blank" attribute.

    Open-ILS/src/templates/opac/parts/record/summary.tt2
    Open-ILS/src/templates/opac/parts/result/table.tt2

Bug 1822630: Resolves a problem with not properly sanitizing user input.
When upgrading, Evergreen administrators should review whether any of the
following templates have been customized or overridden. If so, either the
template should be replaced with the stock version or the XSS fix (which
entails adding the | html filter in several places) applied to the
customized version.

    Open-ILS/src/templates/opac/browse.tt2
    Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
    Open-ILS/src/templates/opac/parts/header.tt2
    Open-ILS/src/templates/opac/parts/place_hold.tt2
    Open-ILS/src/templates/opac/parts/place_hold_result.tt2
    Open-ILS/src/templates/opac/parts/result/adv_filter.tt2

All of these new releases also contain bugfixes that are not related to the
security issues. For more information on the changes in these releases,
please visit

https://evergreen-ils.org/security-releases-evergreen-3-1-15-3-2-9-3-3-4-and-3-4-beta2/

-- 
Galen Charlton
Implementation and Services Manager
Equinox Open Library Initiative
phone:  1-877-OPEN-ILS (673-6457)
email:  gmc at equinoxInitiative.org
web:  https://equinoxInitiative.org
direct: +1 770-709-5581
cell:   +1 404-984-4366
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://libmail.georgialibraries.org/pipermail/open-ils-general/attachments/20190919/fd330e33/attachment.html>

More information about the Open-ils-general mailing list