Security release — July 2013

The Koha community is releasing a security update for all supported and recent unsupported versions of Koha. The security update is available for the following new releases:

  • 3.12.3
  • 3.10.9
  • 3.8.16
  • 3.6.12

Patches are also available for 3.2.x and 3.4.x.

The security update fixes a situation where manipulation of the cookie used for retaining OPAC search history for anonymous sessions could theoretically result in the execution of arbitrary code on a Koha webserver.

We are aware of no active exploits at this time. The security issue can be mitigated by turning off the EnableOpacSearchHistory system preference

We recommend that all Koha users upgrade as soon as possible. If you cannot upgrade immediately, we strongly encourage you to turn off the EnableOpacSearchHistory system preference until such time as you can upgrade.

Users of the Debian packages for 3.10.x and 3.12.x can get the latest release by running apt-get update followed by apt-get upgrade. Because a new dependency was added recently, it may be necessary to run apt-get dist-upgrade instead or to run apt-get install koha-common.

For users of the Debian packages for 3.8.x and 3.6.x, since the Koha APT repository no longer contains those versions, .deb files are available for download and installation using dpkg -i:

Tarballs are also available:

The patches for 3.4.x and 3.2.x can be found as the top three commits in the 3.4.x and 3.2.x branches in Koha’s Git repository.

As a general note, if you are not running a version of Koha that has has a release maintainer (current 3.8.x, 3.10.x, and 3.12.x), we strongly urge you to upgrade to a supported version.