On Wed, Oct 05, 2011 at 10:18:04AM -0400, Dan Scott wrote: > Today, the Evergreen development team released Evergreen 2.0.10 and > 1.6.1.9 - available from the downloads page at > http://evergreen-ils.org/downloads - to address several security > vulnerabilities and a handful of bug fixes. This post discusses the > security vulnerabilities. If you are running Evergreen in production > today, we encourage you to upgrade your Evergreen system to 1.6.1.9 or > 2.0.10 as soon as possible.
Note that I have written up a brief guide for addressing the worst of the security vulnerabilities by updating oils_auth.so as a comment to the blog post that announced this release. The process that I have documented can be applied to a running system - I tested it on Conifer with no ill effects - so if you're not in the mood for doing a complete upgrade of your system, you can at least patch the password brute-forcing vulnerability with 10 minutes or less of work: The comment with the step-by-step process is at http://evergreen-ils.org/blog/?p=687&cpage=1#comment-54959
