Security release — February 2014

The Koha community is releasing a security update for all supported and recent unsupported versions of Koha. The security update is available in the following new releases being made today:

  • 3.14.3
  • 3.12.10
  • 3.10.13
  • 3.8.23

The following security bugs are fixed by this update:

  • Bug 11660: tools/ could be used to read arbitrary files on the server
  • Bug 11661: the staff interface help editor could be used to modify or create arbitrary files on the server with the privileges of the Apache user
  • Bug 11662: could be used to write to arbitrary files on the server with the privileges of the Apache user
  • Bug 11666: the MARC framework import/export function did not require authentication, and could be used to perform unexpected SQL commands

The fix for bug 11666 removes SQL as a supported format for importing or exporting MARC frameworks.

We recommend that you upgrade immediately to get the fixes for these security issues. However, if you are not able to perform the upgrade right away, you can mitigate against the issues by performing the following actions:

  • deleting the script
  • deleting the script
  • making not be executable, e.g., by doing chmod a-x
  • making not be executable, which will disable the MARC framework import and export functionality

Our thanks to John Lightsey for finding and reporting the issues.

The 3.14.3 and 3.10.13 releases also contain unrelated bugfixes which are described in their release notes.

Please note that if you installed from a tarball, you may need to manually delete and, even after you upgrade.

Users of the Debian packages for 3.12.x and 3.14.x (and master) can get the latest release by running apt-get update followed by apt-get upgrade.

Tarballs are also available:

If you are not running a version of Koha that has has a release maintainer (currently 3.8.x, 3.10.x, 3.12.x, and 3.14.x), we strongly urge you to upgrade to a supported version.