Koha 3.22.7 security release
The Koha community is proud to announce the release of Koha 3.22.7
Koha 3.22.7 is a security release.
It includes 1 security fix, 71 bugfixes and 1 enhancement.
Security bugs fixed
• [16476] CGI->param(‘foo’) in list context allows XSS (e.g. Javascript injection) in Koha
Critical bugs fixed
Architecture, internals, and plumbing
• [16505] rebuild_zebra.pl skips updates if -x is passed
• [16539] Koha::Cache is incorrectly caching single holidays
Cataloging
• [16373] merge.pl reports success but files are not merged
Circulation
• [16356] [3.22] Error 500 when returning an item which itemtype is not defined in ItemTypes
Installation and upgrade (web-based installer)
• [13669] Web installer fails to load sample data on MySQL 5.6+
• [16402] DB structure cannot be loaded in MySQL 5.7
Lists
• [16517] A server error is raised when creating a new list with an existing name
Notices
• [12752] OVERDUE notice mis-labeled as “Hold Available for Pickup”
Staff Client
• [15816] Timeout login redirects to home page
Templates
• [14632] Incorrect alert while deleting single item in batch
Test Suite
• [16561] Regression caused by 15877 – t/db_dependent/Barcodes.t deletes all items from a DB
Tools
• [16426] Import borrowers tool warns for blank and/or existing userids
Other bugs fixed
Acquisitions
• [11203] Datatables in acqusitions do not ignore “stopwords” in titles
• [13041] Can’t add user as manager of basket if name includes a single quote
• [16154] Replace CGI->param with CGI->multi_param in list context
• [16253] Acq: Change “Delete order” to “Cancel order line” on basket summary and receive page
• [16321] ‘Show all details’ checkbox triggers JS error after jQuery upgrade
• [16325] Suggestions: Tab “Status unknown” contains all suggestions
• [16384] When canceling ‘edit basket’, return to basket summary if you came from there
Architecture, internals, and plumbing
• [15086] Creators layout and template sql has warnings
• [15877] C4::Barcodes does not correctly calculate db_max for ‘annual’ barcodes
• [15878] C4::Barcodes::hbyymmincr inccorectly calculates max and should warn when no branchcode present
• [16104] Warnings “used only once: possible typo” should be removed
• [16105] Cache::Memory is loaded even if memcache is used
• [16259] More: Replace CGI->param with CGI->multi_param in list context
• [16429] Going to circulation from notice triggers may change logged in branch
• [16452] PatronLists.t raises a warning
• [16499] circulation.pl logs warnings about Use of uninitialized value
• [16550] Can’t set opac news expiration date to NULL, it reverts to today
Cataloging
• [15682] Merging records from cataloguing search only allows to merge 2 records
Circulation
• [15919] Batch checkout should show due date in list of checked-out items
Database
• [16170] Pseudo foreign key in Items
I18N/L10N
• [16322] Translatability: “Unknown” in suggestion/suggestion.pl not translatable
Lists
• [16484] Virtualshelves: Using no XSLTResultsDisplay breaks content display in intranet (titles not showing in lists)
MARC Authority data support
• [14050] Default framework for authorities should not be deletable
Notices
• [1859] Notice fields: can’t select multiple fields at once
• [16217] Notice’ names may have diverged
OPAC
• [16220] The view tabs on opac-detail.pl are not responsive
• [16233] Unclosed strong tag in the opac-facets.inc breaks some display
• [16315] OPAC Shelfbrowser doesn’t display the full title
• [16340] JS variable in opac-bottom.inc is declared two times
• [16478] Translation breaks display of Checkout history in tab Checkouts / On-site-checkouts
• [16516] showListsUpdate JS function is not defined at the OPAC
Patrons
• [9393] Add note to circulation.pl if borrower has pending modifications
• [12721] Prevent software error if incorrect fieldnames given in sypref StatisticsFields
• [15823] Can still access patron discharge slip without having the syspref on – Permissions breach
• [16447] “Borrow Permission” should not be used anymore
Reports
• [16481] Report menu has unexpected issues
SIP2
• [13871] OverDrive message when user authentication fails
Searching
• [16041] StaffAuthorisedValueImages & AuthorisedValueImages preferences – impact on search performance
• [16398] Keep expanded view after clearing the search form
Self checkout
• [12663] SCOUserCSS and SCOUserJS ignored on selfcheck login page
Serials
• [13877] seasonal predictions showing wrong in test
Staff Client
• [9387] Feedback message for FAILED check out items are not obvious for visually impaired
• [16218] printfeercpt.tt (and others) does not include jQuery
• [16270] Typo authentification vs authentication in 404
System Administration
• [15009] Planning dropdown button in aqbudget can have empty line
Templates
• [15194] Drop-down menu ‘Actions’ has problem in ‘Saved reports’ page with language bottom bar
• [16159] guarantor section missing ID on patron add form
• [16230] Show tooltip with menu item when fund cannot be deleted
• [16369] Clean up and improve plugins template
• [16381] Fix capitalization on tags review page
• [16415] Layout problem on staff client detail page if local cover images are enabled
• [16439] Allow styling to button for upload local cover images (Font Awesome Icons)
• [16480] Unclosed tag span in shelves on intranet
Test Suite
• [14144] Silence warnings t/db_dependent/Auth_with_ldap.t
• [14362] PEGI 15 Circulation/AgeRestrictionMarkers test fails
• [16390] Accounts.t does not need MPL
• [16407] Fix Koha_borrower_modifications.t
• [16501] Remove some unneeded warns in Upload.t
Enhancements
Lists
• [15403] Confirm messages in intranet lists interface strangely worded
Official Source [click]
It includes 1 security fix, 71 bugfixes and 1 enhancement.
Security bugs fixed
• [16476] CGI->param(‘foo’) in list context allows XSS (e.g. Javascript injection) in Koha
Critical bugs fixed
Architecture, internals, and plumbing
• [16505] rebuild_zebra.pl skips updates if -x is passed
• [16539] Koha::Cache is incorrectly caching single holidays
Cataloging
• [16373] merge.pl reports success but files are not merged
Circulation
• [16356] [3.22] Error 500 when returning an item which itemtype is not defined in ItemTypes
Installation and upgrade (web-based installer)
• [13669] Web installer fails to load sample data on MySQL 5.6+
• [16402] DB structure cannot be loaded in MySQL 5.7
Lists
• [16517] A server error is raised when creating a new list with an existing name
Notices
• [12752] OVERDUE notice mis-labeled as “Hold Available for Pickup”
Staff Client
• [15816] Timeout login redirects to home page
Templates
• [14632] Incorrect alert while deleting single item in batch
Test Suite
• [16561] Regression caused by 15877 – t/db_dependent/Barcodes.t deletes all items from a DB
Tools
• [16426] Import borrowers tool warns for blank and/or existing userids
Other bugs fixed
Acquisitions
• [11203] Datatables in acqusitions do not ignore “stopwords” in titles
• [13041] Can’t add user as manager of basket if name includes a single quote
• [16154] Replace CGI->param with CGI->multi_param in list context
• [16253] Acq: Change “Delete order” to “Cancel order line” on basket summary and receive page
• [16321] ‘Show all details’ checkbox triggers JS error after jQuery upgrade
• [16325] Suggestions: Tab “Status unknown” contains all suggestions
• [16384] When canceling ‘edit basket’, return to basket summary if you came from there
Architecture, internals, and plumbing
• [15086] Creators layout and template sql has warnings
• [15877] C4::Barcodes does not correctly calculate db_max for ‘annual’ barcodes
• [15878] C4::Barcodes::hbyymmincr inccorectly calculates max and should warn when no branchcode present
• [16104] Warnings “used only once: possible typo” should be removed
• [16105] Cache::Memory is loaded even if memcache is used
• [16259] More: Replace CGI->param with CGI->multi_param in list context
• [16429] Going to circulation from notice triggers may change logged in branch
• [16452] PatronLists.t raises a warning
• [16499] circulation.pl logs warnings about Use of uninitialized value
• [16550] Can’t set opac news expiration date to NULL, it reverts to today
Cataloging
• [15682] Merging records from cataloguing search only allows to merge 2 records
Circulation
• [15919] Batch checkout should show due date in list of checked-out items
Database
• [16170] Pseudo foreign key in Items
I18N/L10N
• [16322] Translatability: “Unknown” in suggestion/suggestion.pl not translatable
Lists
• [16484] Virtualshelves: Using no XSLTResultsDisplay breaks content display in intranet (titles not showing in lists)
MARC Authority data support
• [14050] Default framework for authorities should not be deletable
Notices
• [1859] Notice fields: can’t select multiple fields at once
• [16217] Notice’ names may have diverged
OPAC
• [16220] The view tabs on opac-detail.pl are not responsive
• [16233] Unclosed strong tag in the opac-facets.inc breaks some display
• [16315] OPAC Shelfbrowser doesn’t display the full title
• [16340] JS variable in opac-bottom.inc is declared two times
• [16478] Translation breaks display of Checkout history in tab Checkouts / On-site-checkouts
• [16516] showListsUpdate JS function is not defined at the OPAC
Patrons
• [9393] Add note to circulation.pl if borrower has pending modifications
• [12721] Prevent software error if incorrect fieldnames given in sypref StatisticsFields
• [15823] Can still access patron discharge slip without having the syspref on – Permissions breach
• [16447] “Borrow Permission” should not be used anymore
Reports
• [16481] Report menu has unexpected issues
SIP2
• [13871] OverDrive message when user authentication fails
Searching
• [16041] StaffAuthorisedValueImages & AuthorisedValueImages preferences – impact on search performance
• [16398] Keep expanded view after clearing the search form
Self checkout
• [12663] SCOUserCSS and SCOUserJS ignored on selfcheck login page
Serials
• [13877] seasonal predictions showing wrong in test
Staff Client
• [9387] Feedback message for FAILED check out items are not obvious for visually impaired
• [16218] printfeercpt.tt (and others) does not include jQuery
• [16270] Typo authentification vs authentication in 404
System Administration
• [15009] Planning dropdown button in aqbudget can have empty line
Templates
• [15194] Drop-down menu ‘Actions’ has problem in ‘Saved reports’ page with language bottom bar
• [16159] guarantor section missing ID on patron add form
• [16230] Show tooltip with menu item when fund cannot be deleted
• [16369] Clean up and improve plugins template
• [16381] Fix capitalization on tags review page
• [16415] Layout problem on staff client detail page if local cover images are enabled
• [16439] Allow styling to button for upload local cover images (Font Awesome Icons)
• [16480] Unclosed tag span in shelves on intranet
Test Suite
• [14144] Silence warnings t/db_dependent/Auth_with_ldap.t
• [14362] PEGI 15 Circulation/AgeRestrictionMarkers test fails
• [16390] Accounts.t does not need MPL
• [16407] Fix Koha_borrower_modifications.t
• [16501] Remove some unneeded warns in Upload.t
Enhancements
Lists
• [15403] Confirm messages in intranet lists interface strangely worded
Official Source [click]