Comment 1 for bug 1424755

Jason Stephenson (jstephenson) wrote :

This is a serious security bug in Evergreen that allows unauthenticated users to retrieve sensitive information remotely. This information could include email addresses and/or account information for 3rd party products that integrate with Evergreen.

Evergreen is patched as of releases 2.5.9, 2.6.7, 2.7.4, and 2.8.0-beta. All prior releases are vulnerable to this remote exploit.

It is extremely important that if you cannot upgrade at this time that you patch your Evergreen to protect against this exploit. To that end, a patch is being supplied that you can apply to a running system. In order to secure your system, you must download this patch, copy it to each of your Evergreen servers, at least any that run open-ils.actor services. You will need to perform the following steps on each server to completely patch your system.

First, you must find where the Actor.pm module is located. This is usually under /usr/local somewhere. The following command will find it for you:

find /usr/local -name Actor.pm

On an Ubuntu 12.04 system, the above prints out "/usr/local/share/perl/5.14.2/OpenILS/Application/Actor.pm" so we will use that as our example, just be sure that when you do this for real, you use the actual path printed by the above command. If it prints nothing, you will need to check other locations.

Once you have the path, you can run the patch command. Assuming that you are in the directory where you put the patch file, the following command should apply the patch:

sudo patch /usr/local/share/perl/5.14.2/OpenILS/Application/Actor.pm lp1424755.patch

Unless you have made local edits to the affected file, the patch should apply cleanly.

After you have applied the patch, you will need to restart the open-ils.actor services. You do this by running osrf_control with the appropriate options:

osrf_control [--localhost] --restart --service open-ils.actor

The --localhost is in brackets because you may or may not need it. Your system administrator should know if you do or not. If you do need it, remove the brackets. If you don't need it, then omit the option entirely.