Koha 3.22.12 security release

The Koha community is proud to announce the release of Koha 3.22.12

It is a security release and it includes 3 security fixes, 35 bugfixes and 1 enhancement. See below for details

Koha 3.22.12 can be downloaded from: http://download.koha-community.org/old_releases/koha-3.22.12.tar.gz

Installation instructions can be found at:

• Koha Wiki
• OR in the INSTALL files that come in the tarball

Security fixes

• [16800] Stored Cross-site Scripting vulnerability in addbiblio.pl
• [17035] Koha allows system-wide ‘read’ access to all Koha zebra databases, by default
• [17365] SQL Injection & XSS attack in memberentry.pl

Critical bugs fixed

Architecture, internals, and plumbing

• [17342] Plack does not work after upgrading to 3.22.11 and 16.05.04

Cataloging

• [17477] Duplicating a subfield yields an empty subfield tag

Installation and upgrade (web-based installer)

• [17324] branchcode is NULL in letter triggers red upgrade message

OPAC

• [17392] opac/svc/overdrive_proxy is not plack safe
• [17393] selfreg – Patron’s info are not correctly inserted if contain non-Latin characters

Patrons

• [11217] The # in accountlines descriptions makes them un-writeoffable
• [17403] Internal Server Error while deleting patron

System Administration

• [17389] Exporting framework always export the default framework

Other bugs fixed

About

• [13405] System information has misleading information about indexing mode

Architecture, internals, and plumbing

• [14707] Change UsageStatsCountry from free text to a dropdown list
• [17294] reserves_stats.pl is not plack safe
• [17411] Change exit 1 to exit 0 in acqui/basket.pl to prevent Internal Server Error
• [17426] AutoCommit should not be set in tests
• [17446] Remove some seleted typos

Cataloging

• [7045] Default-value substitution inconsistent
• [16245] RIS export file type incorrect
• [16358] Rancor – Deleting records when Rancor is enabled just opens them
• [17405] Edit record uses Default framework

Circulation

• [10768] Improve the interface related to itemBarcodeFallbackSearch
• [17310] Broken URLs in ‘Item renewed’ / ‘Cannot renew’ messages
• [17352] Patron search type is hard coded to ‘contain’ in circ/circulation.pl

Command-line Utilities

• [17088] Bad MARC XML can halt export_records.pl

I18N/L10N

• [17245] Untranslatable abbreviated names of seasons

Installation and upgrade (web-based installer)

• [17357] WTHDRAWN is still used in installer files
• [17358] Authorised values: COU>COUNTRY | LAN>LANG

Lists

• [17316] Possible to see name of lists you don’t own

OPAC

• [17296] Failed to correctly configure AnonymousPatron with AnonSuggestions should display a warning in about
• [17367] Showing all items must keep show holdings tab in OPAC details

Packaging

• [17085] Specify libmojolicious-perl min version

Patrons

• [17404] Patron deletion page: Fix title and breadcrumb
• [17423] patronimage.pl permission is too restrictive

Reports

• [16816] Duplicate button on report results copies parameters used

System Administration

• [16035] MARC framework Export misbehaving

Templates

• [17289] Holds awaiting pickup shows date unformatted

Test Suite

• [17441] t/db_dependent/Letters.t fails on Jenkins

Enhancements

Patrons

• [17154] Note column is missing on account lines receipt

System requirements

Important notes:

• Perl 5.10 is required
• Zebra is required

Documentation

The Koha manual is maintained in DocBook.The home page for Koha
documentation is

• Koha Documentation

As of the date of these release notes, only the English version of the
Koha manual is available:

• Koha Manual

The Git repository for the Koha manual can be found at

• Koha Git Repository

Translations

Complete or near-complete translations of the OPAC and staff
interface are available in this release for the following languages:

• English (USA)
• Arabic (98%)
• Armenian (99%)
• Chinese (China) (93%)
• Chinese (Taiwan) (97%)
• Czech (97%)
• Danish (77%)
• English (New Zealand) (98%)
• Finnish (98%)
• French (99%)
• French (Canada) (91%)
• German (99%)
• German (Switzerland) (99%)
• Greek (80%)
• Hindi (100%)
• Italian (99%)
• Korean (57%)
• Kurdish (54%)
• Norwegian Bokmål (63%)
• Occitan (94%)
• Persian (64%)
• Polish (99%)
• Portuguese (99%)
• Portuguese (Brazil) (94%)
• Slovak (98%)
• Spanish (99%)
• Swedish (82%)
• Turkish (98%)
• Vietnamese (78%)

Partial translations are available for various other languages.

The Koha team welcomes additional translations; please see

• Koha Translation Info

for information about translating Koha, and join the koha-translate
list to volunteer:

• Koha Translate List

The most up-to-date translations can be found at:

• Koha Translation

Release Team

The release team for Koha 3.22.12 is

• Release Manager: Tomás Cohen Arazi
• QA Manager: Katrin Fischer
• QA Team:
  • Kyle Hall
  • Jonathan Druart
  • Tomás Cohen Arazi
  • Marcel de Rooy
  • Nick Clemens
  • Jesse Weaver
• Bug Wranglers:
  • Amit Gupta
  • Magnus Enger
  • Mirko Tietgen
  • Indranil Das Gupta
  • Zeno Tajoli
  • Marc Véron
• Packaging Manager: Mirko Tietgen
• Documentation Manager: Nicole C. Engard
• Translation Manager: Bernardo Gonzalez Kriegel
• Wiki curators:
  • Brook
  • Thomas Dukleth
• Release Maintainers:
  • 16.05 — Frédéric Demians
  • 3.22 — Julian Maurice
  • 3.20 — Chris Cormack

Credits

We thank the following libraries who are known to have sponsored
new features in Koha 3.22.12:

• Catalyst IT
• Universidad de El Salvador

We thank the following individuals who contributed patches to Koha 3.22.12.

• Marc (4)
• Hector Castro (2)
• Nick Clemens (2)
• Frédéric Demians (2)
• Jonathan Druart (22)
• Julian FIOL (1)
• Katrin Fischer (1)
• Mason James (1)
• Andreas Jonsson (1)
• Rafal Kopaczka (1)
• Kyle M Hall (2)
• Julian Maurice (3)
• Sophie Meynieux (1)
• Andreas Roussos (3)
• Rodrigo Santellan (1)
• Fridolin Somers (2)
• Zeno Tajoli (1)
• Mirko Tietgen (1)
• Mark Tompsett (1)
• Marcel de Rooy (5)

We thank the following libraries, companies, and other institutions who contributed
patches to Koha 3.22.12

• abunchofthings.net (1)
• BibLibre (7)
• BSZ BW (1)
• bugs.koha-community.org (22)
• ByWater-Solutions (4)
• Cineca (1)
• KohaAloha (1)
• kreablo.se (1)
• Marc Véron AG (4)
• poczta.onet.pl (1)
• Rijksmuseum (5)
• Tamil (2)
• unidentified (7)

We also especially thank the following individuals who tested patches
for Koha.

• Aleisha Amohia (1)
• Andreas Roussos (1)
• Brendan Gallagher (21)
• Chris Cormack (11)
• Claire Gravely (3)
• David Cook (1)
• Frédéric Demians (51)
• Hector Castro (4)
• Jonathan Druart (16)
• Josef Moravec (1)
• Julian Maurice (56)
• Juliette (1)
• Marc (2)
• Marc Véron (8)
• Mark Tompsett (2)
• Mirko Tietgen (1)
• Nick Clemens (5)
• Owen Leonard (2)
• remy (1)
• Katrin Fischer (26)
• Tomas Cohen Arazi (1)
• Kyle M Hall (32)
• Bernardo Gonzalez Kriegel (2)
• Marcel de Rooy (9)

We regret any omissions. If a contributor has been inadvertently missed,
please send a patch against these release notes to
koha-patches@lists.koha-community.org.

Revision control notes

The Koha project uses Git for version control. The current development
version of Koha can be retrieved by checking out the master branch of:

• Koha Git Repository

The branch for this version of Koha and future bugfixes in this release
line is 3.22.x.

Bugs and feature requests

Bug reports and feature requests can be filed at the Koha bug
tracker at:

• Koha Bugzilla

He rau ringa e oti ai.
(Many hands finish the work)