From: Galen Charlton Date: Fri, 24 Mar 2023 17:42:39 +0000 (-0400) Subject: update 3.8.3 release notes to include security fix information X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=05d86d16495a6ef867e82a6dd923200aabdcb746;p=evergreen%2Fpines.git update 3.8.3 release notes to include security fix information Signed-off-by: Galen Charlton --- diff --git a/docs/RELEASE_NOTES_3_8.adoc b/docs/RELEASE_NOTES_3_8.adoc index 70edc4bd03..782a31fd0a 100644 --- a/docs/RELEASE_NOTES_3_8.adoc +++ b/docs/RELEASE_NOTES_3_8.adoc @@ -5,11 +5,41 @@ == Evergreen 3.8.3 == -This release contains bug fixes improving on Evergreen 3.8.2. +This release contains bug fixes improving on Evergreen 3.8.2. This release includes +fixes for two security bugs. + +=== Security Fixes === + +==== Protect qtype CGI Parameter ==== + +Malicious DoS attempts have been witnessed in the wild making use of +the fact that Evergreen does not check the contents of the `qtype` CGI +parameter. While these fail their intent, it would be better to +simply drop such searches on the floor when they're seen. + +Evergreen will now confirm that the search class in the `qtype` parameter +is valid, and that the remainder of the value is structured correctly, +before processing the search request. + +This is https://bugs.launchpad.net/evergreen/+bug/1811685[Bug 1811685]. + +==== Catalog Search Denial of Service Protection ==== + +Here we add two ways to protect against denial of service attacks: + + * Limit concurrent search requests per client IP address + ** This helps address issues of accidental spamming from a malfunctioning OPAC workstation, or web crawlers of various types. The limit is controlled by a global flag called *opac.max_concurrent_search.ip*. By default there is no limit set. + * Limit the global concurrent search requests for the same query + ** This helps address both simple and distributed DoS that send the same search request over and over. The limit is controlled by a global flag called *opac.max_concurrent_search.query*, and defaults to 20. + +When a limit is exceeded the client receives an HTTP 429 "Too many requests" response from the web server, and the connection is ended. + +This is https://bugs.launchpad.net/evergreen/+bug/1361782[Bug 1361782]. === Upgrade notes === * https://bugs.launchpad.net/evergreen/+bug/2003707[Bug 2003707] - During upgrade, if you're running with `opensrf_core.xml` located anywhere other than `/openils/conf` in a single-tenant manner, make sure that `SYSCONFDIR` as set in `autogen.sh` matches what's set in the installed `Cronscript.pm` +* https://bugs.launchpad.net/evergreen/+bug/1361782[Bug 1361782] includes a schema upgrade === Bug Fixes ===