The Koha community is releasing a security update for all supported and recent unsupported versions of Koha. The security update is available for the following new releases:
Patches are also available for 3.2.x and 3.4.x.
The security update fixes a situation where manipulation of the cookie used for retaining OPAC search history for anonymous sessions could theoretically result in the execution of arbitrary code on a Koha webserver.
We are aware of no active exploits at this time. The security issue can be mitigated by turning off the EnableOpacSearchHistory system preference
We recommend that all Koha users upgrade as soon as possible. If you cannot upgrade immediately, we strongly encourage you to turn off the EnableOpacSearchHistory system preference until such time as you can upgrade.
Users of the Debian packages for 3.10.x and 3.12.x can get the latest release by running
apt-get update followed by
apt-get upgrade. Because a new dependency was added recently, it may be necessary to run
apt-get dist-upgrade instead or to run
apt-get install koha-common.
For users of the Debian packages for 3.8.x and 3.6.x, since the Koha APT repository no longer contains those versions, .deb files are available for download and installation using
Tarballs are also available:
As a general note, if you are not running a version of Koha that has has a release maintainer (current 3.8.x, 3.10.x, and 3.12.x), we strongly urge you to upgrade to a supported version.