EPrints 3.4.2 February 2021 security patch

Newman, David R (2021) EPrints 3.4.2 February 2021 security patch.

[img] Patch file for security vulnerabilities - Other
Available under License Creative Commons GNU LGPL (Software).

9kB

Official URL: http://www.eprints.org/eprints-3.4

Item Type: Patch
EPrints Version: EPrints 3 > EPrints 3.4
License: GPL
Date: 23 February 2021
Creators Name: Newman, David R
Department: School of Electronics and Computer Science
Institution: University of Southampton
Date Deposited: 23 Feb 2021 10:56
Last Modified: 23 Feb 2021 23:35

Abstract

A number of security vulnerabilities have been identified with EPrints 3.4.2 codebase and will have been present in earlier versions of EPrints 3.4 (and 3.3). These vulnerabilities will be patched for the next EPrints release (3.4.3) but this provides a patch file to fix these vulnerabilities in 3.4.2. The scripts affected are: - /cgi/ajax/phrase : CVE-2021-26703 - /cgi/cal : CVE-2021-26475 and CVE-2021-26476 - /cgi/dataset_dictionary : CVE-2021-26702 - /cgi/latex2png : CVE-2021-3342 - /cgi/toolbox/toolbox : CVE-2021-26704 This patch file also modifies /cgi/history_search, which looked potentially susceptible to MySQL Injection and Cross-Site Scripting but was found not to be vulnerable.

Requirements

EPrints 3.4.2 already installed. May work on earlier versions of EPrints 3.4.

Installation

Run the following command as the eprints user. Assuming this patch file is in eprints' home directory and replacing EPRINTS_PATH for EPrints' root directory: patch -p1 -ruN -d EPRINTS_PATH < ~/eprints-3_4_2-vulns.patch

Copyright

University of Southampton


Repository Staff Only: edit this item