Koha 21.11.02 released, ⚠ security release

Posted on Posted in release, security Tagged with , ,

The Koha community is proud to announce the release of version 21.11.01.
This is a maintenance release and contains many bug fixes and enhancements.

As always you can download the release from:
https://download.koha-community.org

Thank you very much to everyone involved in this release.

Please continue reading for the details this release.

RELEASE NOTES FOR KOHA 21.11.02

31 Jan 2022

Koha is the first free and open source software library automation
package (ILS). Development is sponsored by libraries of varying types
and sizes, volunteers, and support companies from around the world. The
website for the Koha project is:

Koha 21.11.02 can be downloaded from:

Installation instructions can be found at:

  • Koha Wiki
  • OR in the INSTALL files that come in the tarball

Koha 21.11.02 is a bugfix/maintenance release with security fixes.

It includes 9 security fixes, 3 enhancements, 37 bugfixes.

System requirements

You can learn about the system components (like OS and database) needed for running Koha here: https://wiki.koha-community.org/wiki/System_requirements_and_recommendations

Security bugs

Koha

  • [26102] Javascript injection in intranet search
  • [28735] Self-checkout users can access opac-user.pl for sco user when not using AutoSelfCheckID
  • [29540] Accounts with just ‘catalogue’ permission can modify/delete holds
  • [29541] Patron images can be accessed with just ‘catalogue’ permission
  • [29542] User with ‘catalogue’ permission can view everybody’s (private) virtualshelves
  • [29543] Self-checkout allows returning everybody’s loans
  • [29544] A patron can set everybody’s checkout notes
  • [29903] Message deletion possible from different branch
  • [29914] check_cookie_auth not strict enough

Enhancements

Architecture, internals, and plumbing

  • [29741] Add Koha::Patron->safe_to_delete

    This enhancement adds a handy method for checking if a patron meets the conditions to be deleted. These conditions are:

    • Has no linked guarantees
    • Has no pending debts
    • Has no current checkouts
    • Is not the system-configured anonymous user

    It also adapts the DELETE /patrons route to use the newly introduced Koha::Patron->safe_to_delete method.

Cataloging

  • [26587] Cache libraries in Branches TT plugin to improve performanceSponsored by Lund University Library

Tools

  • [20076] Overdues email to library for patrons without email should be optional

    Currently, two print notices are generated when running overdue_notices.pl if a patron does not have an email address:

    • a print overdue notice for the patron, and
    • an email message to the library with all the print versions of the overdue notices.

    Depending on a library’s work processes, they may want both or only the patron print overdue notice generated.

    This enhancement adds a new system preference, EmailOverduesNoEmail, that allows libraries to choose whether to send or not send overdue notices for patrons without an email address to library staff. The default is set to send, as this preserves the current behaviour.

Critical bugs fixed

Acquisitions

  • [29670] Restore functionality broken by bug 27708 for AcqCreateItem set to “placing an order”

    This patch restores the lost GIR segments in EDI messages generated by orders with items attached.

Cataloging

  • [29689] Update to 21.11 broken auto-generated barcode in 0001 option

Command-line Utilities

  • [29794] delete_items.pl missing include

Fines and fees

  • [29457] Fee Cancellation records the wrong manager_id

    Prior to this patch inadvertently the field borrowers.userid was used to fill accountslines.manager_id. This should have been borrowernumber.

    This report fixes that and prints a generic warning.

Hold requests

  • [29736] Error when placing a hold for a club without members
  • [29737] Cannot suspend holds

OPAC

  • [29696] “Suggest for purchase” missing biblio link
  • [29778] Deleting additional_contents leaves entries for additional languages

REST API

  • [29018] Deleting patrons from REST API doesn’t do any checks or move to deletedborrowers

    These fixes the REST API route for deleting patrons so that it now checks for guarantees, debts, and current checkouts. If any of these checks fail, the patron is not deleted.

Tools

  • [29747] Cataloguing upload plugin broken

Other bugs fixed

Acquisitions

  • [24866] Display budget hierarchy in the budget dropdown menu used when placing a new order

    This improves the display for selecting a fund when placing a new order in acquisitions. It now displays as a hierarchy instead of a list without any indentation, for example:

    Budget 2021
    — Book
    — — Adult fiction

  • [29419] Suggest for purchase clears item type, quantity, library and reason if bib exists

Architecture, internals, and plumbing

  • [29702] all_libraries routine in library groups make a DB call per member of group
  • [29717] Too many DateTime manipulation in tools/additional-contents.pl
  • [29789] Unused $error in cataloguing/additem.pl

Circulation

  • [29476] Earliest renewal date is displayed wrong in circ/renew.pl for issues with auto renewing

Hold requests

  • [29553] Holds: Can’t call method “notforloan” on an undefined value when placing a hold

I18N/L10N

  • [29588] Yesterday and tomorrow in datepicker don’t translate

    This fixes “or”, “Yesterday”, “Today” and “Tomorrow” in the flatpickr date selector so they can be translated. (This was because _ was used when _ should have been used (_ is for .js files only)).

Installation and upgrade (command-line installer)

  • [29813] skeleton.pl missing semicolon

Notices

  • [29557] Auto renew notices should handle failed renewal due to patron expiration

    This enhancement updates the default auto-renewal notices to tell patrons that their renewals have failed because their account has expired.

OPAC

  • [17127] Can’t hide MARC21 500 and others with NotesToHide

    This fixes hiding notes fields (5XX in MARC21 and 3XX in UNIMARC) using NotesToHide. Before this you could hide one field and it worked. However, when hiding multiple fields one field would still always be visible. Now hiding notes fields works as expected.

  • [29604] Term highlighting adds unwanted pseudo element in the contentblock of OPAC details page
  • [29685] ‘If all unavailable’ state for ‘on shelf holds’ makes holds page very slow if there’s a lot of items on opac

REST API

  • [29503] GET /patrons should use Koha::Patrons->search_limited
  • [29506] objects.search should call search_limited if present
  • [29508] GET /patrons/:patron_id should use Koha::Patrons->search_limited

Reports

  • [29530] When NumSavedReports is set, show value in pull down of entries

    This updates the way the NumSavedReports preference value is used on the saved reports page. For the “Show” dropwdown list:

    • it now displays the number set in NumSavedReports (previously it showed 20)
    • when expanded it now shows the number set in NumSavedReports sequentially (for example, if NumSavedReports is 78, the menu options should be “10, 20, 50, 78, 100, All”), and
    • it now displays ‘All’ if NumSavedReports is blank.

    It also updates the description for the NumSavedReports preference to clarify that all reports are shown when no value is entered.

  • [29680] Reports menu ‘Show SQL code’ wrong border radius
  • [29729] If serials_stats.pl returns no results dataTables get angry

Searching – Elasticsearch

  • [29436] Cannot reorder facets in staff interface elasticsearch configuration

Serials

  • [29790] Deleting serial items fail without warning

System Administration

  • [29591] Add autorenew_checkouts to BorrowerMandatory/Unwanted fields system preferences

Templates

  • [29552] flatpickr quick shortcuts should be ‘Disabled’ for invalid dates
  • [29571] Mainpage : “All libraries” pending suggestions are visible only if the current library has suggestions

    This fixes the display of pending suggestions in the staff interface so that it now shows pending suggestions for all libraries, for example: “Suggestions pending approval: Centerville: 0 / All libraries: 1.”. Previously suggestions pending approval was only shown if there were suggestions for the user’s current library.

  • [29688] Incorrect use of _() in holds.js
  • [29735] Remove flatpickr instantiations from .js files

Tools

  • [29693] CodeMirror broken on additional_contents.tt

New system preferences

  • EmailOverduesNoEmail

Documentation

The Koha manual is maintained in Sphinx. The home page for Koha
documentation is

The Git repository for the Koha manual can be found at

Translations

Complete or near-complete translations of the OPAC and staff
interface are available in this release for the following languages:

  • Arabic (88.2%)
  • Armenian (100%)
  • Armenian (Classical) (89%)
  • Bulgarian (93.1%)
  • Chinese (Taiwan) (79.8%)
  • Czech (69.7%)
  • English (New Zealand) (59.7%)
  • English (USA)
  • Finnish (84.1%)
  • French (93%)
  • French (Canada) (87.3%)
  • German (100%)
  • German (Switzerland) (59.3%)
  • Greek (54.5%)
  • Hindi (100%)
  • Italian (92.3%)
  • Nederlands-Nederland (Dutch-The Netherlands) (64.6%)
  • Norwegian Bokmål (64%)
  • Polish (99.4%)
  • Portuguese (91.5%)
  • Portuguese (Brazil) (84.5%)
  • Russian (85.9%)
  • Slovak (70.5%)
  • Spanish (99.9%)
  • Swedish (83%)
  • Telugu (96.3%)
  • Turkish (96.3%)
  • Ukrainian (74%)

Partial translations are available for various other languages.

The Koha team welcomes additional translations; please see

For information about translating Koha, and join the koha-translate
list to volunteer:

The most up-to-date translations can be found at:

Release Team

The release team for Koha 21.11.02 is

  • Release Manager: Fridolin Somers
  • Release Manager assistants:
    • Jonathan Druart
    • Martin Renvoize
    • Tomás Cohen Arazi
  • QA Manager: Katrin Fischer
  • QA Team:
    • Andrew Nugged
    • Jonathan Druart
    • Joonas Kylmälä
    • Kyle M Hall
    • Marcel de Rooy
    • Martin Renvoize
    • Nick Clemens
    • Petro Vashchuk
    • Tomás Cohen Arazi
    • Victor Grousset
  • Topic Experts:
    • UI Design — Owen Leonard
    • REST API — Tomás Cohen Arazi
    • Zebra — Fridolin Somers
    • Accounts — Martin Renvoize
  • Bug Wranglers:
    • Indranil Das Gupta
    • Erica Rohlfs
  • Packaging Manager:
  • Documentation Manager: David Nind
  • Documentation Team:
    • Aude Charillon
    • Caroline Cyr La Rose
    • Kelly McElligott
    • Lucy Vaux-Harvey
    • Martin Renvoize
    • Rocio Lopez
  • Translation Managers:
    • Bernardo González Kriegel
  • Wiki curators:
    • Thomas Dukleth
  • Release Maintainers:
    • 21.11 — Kyle M Hall
    • 21.05 — Andrew Fuerste-Henry
    • 20.11 — Victor Grousset
    • 19.11 — Wainui Witika-Park

Credits

We thank the following libraries, companies, and other institutions who are known to have sponsored
new features in Koha 21.11.02

  • Lund University Library

We thank the following individuals who contributed patches to Koha 21.11.02

  • Tomás Cohen Arazi (21)
  • Florian Bontemps (3)
  • Nick Clemens (9)
  • David Cook (1)
  • Jonathan Druart (35)
  • Katrin Fischer (4)
  • Lucas Gass (3)
  • Didier Gautheron (1)
  • Kyle M Hall (9)
  • Joonas Kylmälä (1)
  • Owen Leonard (10)
  • Björn Nylén (1)
  • Martin Renvoize (4)
  • Marcel de Rooy (3)
  • Andreas Roussos (1)
  • Fridolin Somers (1)
  • ThibaudGLT (1)
  • Koha translators (1)

We thank the following libraries, companies, and other institutions who contributed
patches to Koha 21.11.02

  • Athens County Public Libraries (10)
  • BibLibre (6)
  • Bibliotheksservice-Zentrum Baden-Württemberg (BSZ) (4)
  • ByWater-Solutions (21)
  • Dataly Tech (1)
  • Independant Individuals (1)
  • Koha Community Developers (35)
  • Prosentient Systems (1)
  • PTFS-Europe (4)
  • Rijksmuseum (3)
  • Theke Solutions (21)
  • ub.lu.se (1)

We also especially thank the following individuals who tested patches
for Koha

  • Tomás Cohen Arazi (12)
  • Florian Bontemps (1)
  • Nick Clemens (25)
  • Jonathan Druart (16)
  • Jonathan Field (2)
  • Katrin Fischer (45)
  • Andrew Fuerste-Henry (4)
  • Lucas Gass (7)
  • Victor Grousset (1)
  • Kyle M Hall (91)
  • Sally Healey (1)
  • Joonas Kylmälä (2)
  • Owen Leonard (2)
  • David Nind (20)
  • Hayley Pelham (1)
  • Martin Renvoize (12)
  • Marcel de Rooy (5)
  • Andreas Roussos (2)
  • Fridolin Somers (69)
  • ThibaudGLT (3)

We regret any omissions. If a contributor has been inadvertently missed,
please send a patch against these release notes to koha-devel@lists.koha-community.org.

Revision control notes

The Koha project uses Git for version control. The current development
version of Koha can be retrieved by checking out the master branch of:

The branch for this version of Koha and future bugfixes in this release
line is v21.11.02.

Bugs and feature requests

Bug reports and feature requests can be filed at the Koha bug
tracker at:

He rau ringa e oti ai.
(Many hands finish the work)

Autogenerated release notes updated last on 31 Jan 2022 18:14:01.