EPrints 3.4.2 February 2021 security patch

Newman, David R (2021) EPrints 3.4.2 February 2021 security patch.

Patch file for security vulnerabilities - Other
Available under License Creative Commons GNU LGPL (Software).
9kB

Official URL: http://www.eprints.org/eprints-3.4

Item Type: Patch

EPrints Version: EPrints 3 > EPrints 3.4

Official URL: http://www.eprints.org/eprints-3.4

License: GPL

Date: 23 February 2021

Creators Name: Newman, David R

Department: School of Electronics and Computer Science

Institution: University of Southampton

Date Deposited: 23 Feb 2021 10:56

Last Modified: 23 Feb 2021 23:35

Wiki Page: Files/EPrints 3.4.2 February 2021 security patch

Abstract

A number of security vulnerabilities have been identified with EPrints 3.4.2 codebase and will have been present in earlier versions of EPrints 3.4 (and 3.3). These vulnerabilities will be patched for the next EPrints release (3.4.3) but this provides a patch file to fix these vulnerabilities in 3.4.2. The scripts affected are: - /cgi/ajax/phrase : CVE-2021-26703 - /cgi/cal : CVE-2021-26475 and CVE-2021-26476 - /cgi/dataset_dictionary : CVE-2021-26702 - /cgi/latex2png : CVE-2021-3342 - /cgi/toolbox/toolbox : CVE-2021-26704 This patch file also modifies /cgi/history_search, which looked potentially susceptible to MySQL Injection and Cross-Site Scripting but was found not to be vulnerable.

Requirements

EPrints 3.4.2 already installed. May work on earlier versions of EPrints 3.4.

Installation

Run the following command as the eprints user. Assuming this patch file is in eprints' home directory and replacing EPRINTS_PATH for EPrints' root directory: patch -p1 -ruN -d EPRINTS_PATH < ~/eprints-3_4_2-vulns.patch

Copyright

University of Southampton

Downloads

View more statistics

Repository Staff Only: edit this item