From: Jason Stephenson Date: Wed, 17 May 2023 21:04:11 +0000 (-0400) Subject: Update 3.10 release notes for security fixes X-Git-Url: http://git.equinoxoli.org/?p=evergreen-equinox.git;a=commitdiff_plain;h=e57fbc2254c94d4e358b8b370667d5706b362a9f Update 3.10 release notes for security fixes Signed-off-by: Jason Stephenson --- diff --git a/docs/RELEASE_NOTES_3_10.adoc b/docs/RELEASE_NOTES_3_10.adoc index 063c79d..70d9bc1 100644 --- a/docs/RELEASE_NOTES_3_10.adoc +++ b/docs/RELEASE_NOTES_3_10.adoc @@ -5,7 +5,8 @@ == Evergreen 3.10.2 == -This release contains bug fixes improving on Evergreen 3.10.1. +This release contains bug fixes improving on Evergreen 3.10.1. This release also includes +fixes for three security bugs. === Upgrade notes === @@ -14,6 +15,53 @@ This release contains bug fixes improving on Evergreen 3.10.1. * https://bugs.launchpad.net/evergreen/+bug/1920826[Bug 1920826] requires a schema update * https://bugs.launchpad.net/evergreen/+bug/2009073[Bug 2009073] requires a schema update. Sites that have customized styles for the `oils_SH` CSS class should review their changes upon upgrade. +=== Security Fixes === + +==== Fix SQL Injection Vulnerability ==== + +An SQL injection vulnerability related to the implementation of +search term highlights is now closed. + +This is https://bugs.launchpad.net/evergreen/+bug/2004055[Bug 2004055]. + +==== Malicious Search Protection ==== + +Evergreen sometimes sees some "novel" query strings in the wild that +cause the search backend to time out or worse. These are sometimes +malicious and sometimes accidental, but the effect on users is the +same. + +The changes here improve query compilation in several respects in order +to reduce the chances of an overly complex query causing problems for +the search subsystem. + +More work is done up front to simplify and combine parts of the +resulting SQL, allowing more work to be done closer to the data. +This change allows Evergreen to handle many more tested or chained +boolean expressions, and negated terms are now handled directly in +line with other adjacent terms. Phrases (exact matches) are now +searched for using Postgres' adjacency tsearch operator. + +All of these changes work together to improve performance by getting +more search work done in fewer database operations while protecting +against certain query constructs that have caused problems in the +past. + +This is https://bugs.launchpad.net/evergreen/+bug/1775958[Bug 1775958]. + +==== Restrict login redirect ==== + +As a security best-practice, Evergreen should not allow arbitrary +redirection on successful login, but instead limit redirection to +local links or configured domains and schemes. + +This feature is controlled by a new global flag called *opac.login_redirect_domains* +which must contain a comma-separated list of domains. All hostnames +under each domain is allowed for redirect, and the scheme of the +redirect URL must be one of http, https, ftp, or ftps. + +This is https://bugs.launchpad.net/evergreen/+bug/1908576[Bug 1908576]. + === Bug Fixes === ==== Accessibility ====