From d5b401aa45bdeb55564b491e153458ad3e236c6c Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Fri, 24 Mar 2023 13:39:53 -0400 Subject: [PATCH] update 3.10.1 release notes to include security fix Also fixes a typo. Signed-off-by: Galen Charlton --- docs/RELEASE_NOTES_3_10.adoc | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/docs/RELEASE_NOTES_3_10.adoc b/docs/RELEASE_NOTES_3_10.adoc index 73daff51e9..606d846bec 100644 --- a/docs/RELEASE_NOTES_3_10.adoc +++ b/docs/RELEASE_NOTES_3_10.adoc @@ -5,14 +5,44 @@ == Evergreen 3.10.1 == -This release contains bug fixes improving on Evergreen 3.10.0. +This release contains bug fixes improving on Evergreen 3.10.0. This release includes +fixes for two security bugs. + +=== Security Fixes === + +==== Protect qtype CGI Parameter ==== + +Malicious DoS attempts have been witnessed in the wild making use of +the fact that Evergreen does not check the contents of the `qtype` CGI +parameter. While these fail their intent, it would be better to +simply drop such searches on the floor when they're seen. + +Evergreen will now confirm that the search class in the `qtype` parameter +is valid, and that the remainder of the value is structured correctly, +before processing the search request. + +This is https://bugs.launchpad.net/evergreen/+bug/1811685[Bug 1811685]. + +==== Catalog Search Denial of Service Protection ==== + +Here we add two ways to protect against denial of service attacks: + + * Limit concurrent search requests per client IP address + ** This helps address issues of accidental spamming from a malfunctioning OPAC workstation, or web crawlers of various types. The limit is controlled by a global flag called *opac.max_concurrent_search.ip*. By default there is no limit set. + * Limit the global concurrent search requests for the same query + ** This helps address both simple and distributed DoS that send the same search request over and over. The limit is controlled by a global flag called *opac.max_concurrent_search.query*, and defaults to 20. + +When a limit is exceeded the client receives an HTTP 429 "Too many requests" response from the web server, and the connection is ended. + +This is https://bugs.launchpad.net/evergreen/+bug/1361782[Bug 1361782]. === Upgrade notes === * https://bugs.launchpad.net/evergreen/+bug/2003707[Bug 2003707] - During upgrade, if you're running with `opensrf_core.xml` located anywhere other than `/openils/conf` in a single-tenant manner, make sure that `SYSCONFDIR` as set in `autogen.sh` matches what's set in the installed `Cronscript.pm` -* https://bugs.launchpad.net/evergreen/+bug/1998355[Bug 1998355) requires a schema update +* https://bugs.launchpad.net/evergreen/+bug/1998355[Bug 1998355] requires a schema update * https://bugs.launchpad.net/evergreen/+bug/1441750[Bug 1441750] requires a schema update * https://bugs.launchpad.net/evergreen/+bug/1995623[Bug 1995623] requires a schema update +* https://bugs.launchpad.net/evergreen/+bug/1361782[Bug 1361782] requires a schema update === Bug Fixes === -- 2.11.0