Security Release – Koha 3.16.12

Posted on Posted in 3.16, releases, security

The Koha release team would like to announce the release of Koha 3.16.12, this is a security release.

As such we strongly recommend people running 3.16.x should upgrade as soon as possible

Special thanks also goes to Raschin Tavakoli and Dimitris Simos from the Combinatorial Security Testing Team of SBA Research for finding and reporting the security bugs.

Please continue reading for the full release notes

RELEASE NOTES FOR KOHA 3.16.12

23 Jun 2015

Koha is the first free and open source software library automation package (ILS). Development is sponsored by libraries of varying types and sizes, volunteers, and support companies from around the world.

The website for the Koha project is http://koha-community.org and Koha 3.16.12 can be downloaded from: http://download.koha-community.org/koha-3.16.12.tar.gz

Installation instructions can be found at http://wiki.koha-community.org/wiki/Installation_Documentation or in the INSTALL files that come in the tarball

Koha 3.16.12 is a security release.
This release contains critical security fixes, all users of Koha 3.16.x are highly recommended to upgrade as soon as is reasonable.

Table of contents

New features in Koha 3.16.12

Enhancements in Koha 3.16.12

Critical bugs fixed in Koha 3.16.12

Lists

  • Stored XSS flaw affects OPAC and Staff interface (major – bug 14416)

OPAC

  • SQL Injection in OPAC Interface (critical – bug 14412)
  • XSS Injection point (major – bug 14360)
  • XSS Flaws in OPAC Interface (major – bug 14418)

Staff Client

  • Path traversal vulnerabilty (critical – bug 14408)
  • Multiple XSS and XSRF issues in Staff Client (major – bug 14423)

Other bugs fixed in Koha 3.16.12

New system preferences in Koha 3.16.12

System requirements

Important notes:

  • Perl 5.10 is required
  • Zebra is required

Documentation

The Koha manual is maintained in DocBook. The home page for Koha documentation is http://koha-community.org/documentation

As of the date of these release notes, only the English version of the Koha manual is available at http://manual.koha-community.org/3.16.12/en/

The Git repository for the Koha manual can be found at http://git.koha-community.org/gitweb/?p=kohadocs.git;a=summary

Translations

Complete or near-complete translations of the OPAC and staff interface are available in this release for the following languages:

  • English (USA)
  • Arabic (99%)
  • Armenian (99%)
  • Czech (99%)
  • Danish (86%)
  • French (96%)
  • German (100%)
  • Italian (100%)
  • Kurdish (67%)
  • Polish (99%)
  • Portuguese (100%)
  • Slovak (100%)
  • Spanish (100%)
  • Swedish (86%)
  • Turkish (100%)
  • Vietnamese (94%)

Partial translations are available for various other languages.

The Koha team welcomes additional translations; please see http://wiki.koha-community.org/wiki/Translating_Koha

For information about translating Koha, and join the koha-translate list to volunteer

The most up-to-date translations can be found at http://translate.koha-community.org

Release Team

The release team for Koha 3.16.12 is

  • Release Manager: Galen Charlton
  • Documentation Manager: Nicole C Engard
  • Translation Manager: Bernardo Gonzalez Kriegel
  • QA Manager: Katrin Fischer
  • QA Team:
    • Ruth Bavousett
    • Chris Cormack
    • Marcel de Rooy ,
    • Jonathan Druart ,
    • Brendan Gallagher
    • Kyle Hall
    • Paul Poulain
    • Martin Renvoize
  • Bug Wranglers:
    • Chris Cormack
    • Magnus Enger
  • Packaging Manager: Robin Sheat
  • Release Maintainer (3.8.x): Kyle Hall
  • Release Maintainer (3.10.x): Bernardo Gonzalez Kriegel
  • Release Maintainer (3.12.x): Tomás Cohen Arazi
  • Release Maintainer (3.14.x): Fridolin Somers

      • Credits

      We thank the following libraries who are known to have sponsored new features in Koha 3.16.12:

      We thank the following individuals who contributed patches to Koha 3.16.12:

      • Aleisha (2)
      • Chris (7)
      • Chris Cormack (5)
      • Jonathan Druart (4)
      • Bernardo Gonzalez Kriegel (1)

      We thank the following libraries, companies, and other institutions who contributed patches to Koha 3.16.12:

      • BigBallOfWax (7)
      • Catalyst (5)
      • koha-community.org (4)
      • unidentified (3)

      We also especially thank the following individuals who tested patches for Koha 3.16.12:

      • Jonathan Druart (7)
      • Katrin Fischer (11)
      • Mason James (15)
      • Kyle M Hall (4)

      We regret any omissions. If a contributor has been inadvertently missed, please send a patch against these release notes to koha-patches@lists.koha-community.org.

      Revision control notes

      The Koha project uses Git for version control. The current development version of Koha can be retrieved by checking out the master branch of git://git.koha-community.org/koha.git

      The branch for this version of Koha and future bugfixes in this release line is 3.16.x.

      The last Koha release was 3.18.8, which was released on June 25, 2015.

      Bugs and feature requests

      Bug reports and feature requests can be filed at the Koha bug tracker at http://bugs.koha-community.org

      He rau ringa e oti ai. (Many hands finish the work)

      ##### Autogenerated release notes updated last on 23 Jun 2015 11:50:28 Z #####