Hie, Here is the release announcement for 3.14.03 : http://koha-community.org/koha-3-14-3-released/
Regards, Le 07/02/2014 02:51, Galen Charlton a écrit :
[apologies for the multi-post, but if there are any folks who are subscribed to koha-devel but not the general list, they need to see this too] The Koha community is releasing a security update for all supported and recent unsupported versions of Koha. The security update is available in the following new releases being made today: * 3.14.3 * 3.12.10 * 3.10.13 * 3.8.23 The following security bugs are fixed by this update: * Bug 11660: tools/pdfViewer.pl could be used to read arbitrary files on the server * Bug 11661: the staff interface help editor could be used to modify or create arbitrary files on the server with the privileges of the Apache user * Bug 11662: member-picupload.pl could be used to write to arbitrary files on the server with the privileges of the Apache user * Bug 11666: the MARC framework import/export function did not require authentication, and could be used to perform unexpected SQL commands The fix for bug 11666 removes SQL as a supported format for importing or exporting MARC frameworks. We recommend that you upgrade immediately to get the fixes for these security issues. However, if you are not able to perform the upgrade right away, you can mitigate against the issues by performing the following actions: * deleting the pdfViewer.pl script * deleting the member-picupload.pl script * making edithelp.pl not be executable, e.g., by doing chmod a-x edithelp.pl * making import_export_framework.pl not be executable, which will disable the MARC framework import and export functionality Our thanks to John Lightsey for finding and reporting the issues. The 3.14.3 and 3.10.13 releases also contain unrelated bugfixes which are described in their release notes. Please note that if you installed from a tarball, you may need to manually delete pdfViewer.pl and member-picupload.pl, even after you upgrade. Users of the Debian packages for 3.12.x and 3.14.x (and master) can get the latest release by running apt-get update followed by apt-get upgrade. Tarballs are also available and can be downloaded from http://download.koha-community.org. If you are not running a version of Koha that has has a release maintainer (currently 3.8.x, 3.10.x, 3.12.x, and 3.14.x), we strongly urge you to upgrade to a supported version. Regards, Galen
-- Fridolin SOMERS Biblibre - Pôles support et système [email protected] _______________________________________________ Koha-devel mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
