From 6a14ec18e7d6dca97dcb5e551452051b9ee32aa4 Mon Sep 17 00:00:00 2001 From: Ben Shum Date: Fri, 1 May 2015 14:09:01 -0400 Subject: [PATCH] Docs - Add security note for 2.7.5 Signed-off-by: Ben Shum --- docs/RELEASE_NOTES_2_7.txt | 58 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/docs/RELEASE_NOTES_2_7.txt b/docs/RELEASE_NOTES_2_7.txt index 12d3bef969..bdd6b17f10 100644 --- a/docs/RELEASE_NOTES_2_7.txt +++ b/docs/RELEASE_NOTES_2_7.txt @@ -379,8 +379,62 @@ http://sitemaps.org specification, including: Bug Fixes --------- -IMPORTANT SECURITY INFORMATION -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +IMPORTANT SECURITY INFORMATION - 2.7.5 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +For users of Apache version 2.4, a serious security flaw that allows +unauthorized remote access to reporter output and potentially other +sensitive data is fixed in the following releases of Evergreen: 2.6.8, +2.7.5, and 2.8.1. All prior releases of Evergreen are vulnerable to +exploitation of this flaw to reveal sensitive system information. If +you are running a vulnerable release of Evergreen you are *strongly* +encouraged to upgrade to a non-vulnerable release as soon as possible. + +Apache version 2.2 is not affected. + +In addition to upgrading Evergreen, a configuration change is required +for users of Apache version 2.4. Any or , etc. +configuration section in the /etc/apache2/eg_vhost.conf (debian/ubuntu) +file which contains "PerlAuthenHandler OpenILS::WWW::Proxy::Authen" +should be edited. For each, remove the line reading "Require all +granted". + +For example, this section: + +[source,conf] +---------------------------------------------------------------------------- + + SetHandler perl-script + AuthType Basic + AuthName "Collections Login" + PerlOptions +GlobalRequest + PerlSetVar OILSProxyPermissions "money.collections_tracker.create" + PerlAuthenHandler OpenILS::WWW::Proxy::Authen + Require valid-user + Options +ExecCGI + PerlSendHeader On + Require all granted + +---------------------------------------------------------------------------- + +Should have its final line removed and be changed to: + +[source,conf] +---------------------------------------------------------------------------- + + SetHandler perl-script + AuthType Basic + AuthName "Collections Login" + PerlOptions +GlobalRequest + PerlSetVar OILSProxyPermissions "money.collections_tracker.create" + PerlAuthenHandler OpenILS::WWW::Proxy::Authen + Require valid-user + Options +ExecCGI + PerlSendHeader On + +---------------------------------------------------------------------------- + +IMPORTANT SECURITY INFORMATION - 2.7.4 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A serious security flaw that allows unauthorized remote access to organizational unit settings is fixed in the following releases of Evergreen: 2.5.9, 2.6.7, and 2.7.4. All prior releases of Evergreen -- 2.11.0