Koha 3.22.6 Security Released

Koha 3.22.6 Security Released

La comunidad de koha se complace de anunciar Koha 3.22.6

La nueva versión incluye 1 corrección de seguridad y 61 corrección de bugs.

Security bugs fixed

  • [15111] Koha is vulnerable to Cross-Frame Scripting (XFS) attacks

Critical bugs fixed

Architecture, internals, and plumbing

  • [16068] System preference override feature (OVERRIDE_SYSPREF_* = ) is not reliable for some cache systems
  • [16084] log4perl.conf not properly set on packages
  • [16138] Restart plack when rotating logfiles


  • [15889] Login with LDAP deletes extended attributes


  • [15757] Hard coded due loan/renewal period of 21 days if no circ rule found in C4::Circulation::GetLoanLength
  • [16082] Empty patron detail page is displayed if the patron does not exist – circulation.pl
  • [16240] Regression: Bug 16082 causes message to be displayed even when no borrowernumber is passed

Hold requests

  • [16151] can’t place holds from lists


  • [15967] Print notices are not generated if the patron cannot be notified


  • [14614] Multiple URLs (856) in cart/list email are broken
  • [16210] Bug 15111 breaks the OPAC if JavaScript is disabled
  • [16317] Attempt to share private list results in error


  • [14633] apache2-mpm-itk depencency makes Koha uninstallable on Debian Stretch
  • [15713] Restart zebra when rotating logfiles


  • [16040] Quote deletion never ending processing

Web services

  • [16222] Add REST API folder to Makefile.PL

Other bugs fixed


  • [15962] Currency deletion doesn’t correctly identify currencies in use
  • [16055] Deleting a basket group containing baskets fails silently
  • [16146] [3.22] ACQ: Previewed records in Z39.50 search results are wrong

Architecture, internals, and plumbing

  • [15809] versions of CGI < 4.08 do not have multi_param
  • [15930] DataTables patron search defaulting to ‘starts_with’ and not getting correct parameters to parse multiple word searches
  • [16104] Warnings “used only once: possible typo” should be removed


  • [15682] Merging records from cataloguing search only allows to merge 2 records
  • [16171] Show many media (856) in html5media tab


  • [15741] Incorrect rounding in total fines calculations
  • [15832] Pending reserves: duplicates branches in datatable filter

Command-line Utilities

  • [15113] koha-rebuild-zebra should check USE_INDEXER_DAEMON and skip if enabled


  • [15861] No chance to correctly translate an isolated word “The”
  • [16133] Translatability of database administrator account warning

MARC Bibliographic record staging/import

  • [15745] C4::Matcher gets CCL parsing error if term contains ? (question mark)


  • [14076] Noisy warns in opac-authorities-home.pl
  • [14441] TrackClicks cuts off/breaks URLs
  • [15888] Syndetics Reviews preference should not enable LibraryThing reviews
  • [16143] Wrong icon PATH on virtualshelves
  • [16179] Clicking Rate me button in OPAC without selecting rating produces error
  • [16296] Virtualshelves: Using no OPACXSLTResultsDisplay breaks content display


  • [15722] Patron search cannot deal with hidden characters ( tabs ) in fields
  • [15928] Show unlinked guarantor
  • [16214] Surname not displayed in serials patron search results


  • [1750] Report bor_issues_top erroneous and truncated results
  • [15421] Show all available actions in reports toolbar
  • [16184] Report bor_issues_top shows incorrect number of rows
  • [16185] t/db_dependent/Reports_Guided.t is failing


  • [13871] OverDrive message when user authentication fails


  • [14816] Item search returns no results with multiple values selected for one field

Self checkout

  • [11498] Prevent bypassing sco timeout with print dialog


  • [15838] syspref SubscriptionDuplicateDroppedInput does not work for all fields

System Administration

  • [15773] Checkboxes do not work correctly when creating a new subfield for an authority framework
  • [16047] Software error on deleting a group with no category code


  • [15984] Correct templates which use the phrase “issuing rules”
  • [16023] Use Font Awesome icons on audio alerts page
  • [16025] Use Font Awesome icons on item types localization page
  • [16027] Use Font Awesome icons in the professional cataloging interface
  • [16029] Do not show patron toolbar when showing the “patron does not exist” message

Test Suite

  • [14158] t/db_dependent/www/search_utf8.t hangs if error is returned
  • [15323] ./t/Prices.t fails without a valid database
  • [16134] t::lib::Mocks::mock_preference should be case-insensitive
  • [16191] t/Ris.t is noisy
  • [16224] Random failure for t/db_dependent/Reports_Guided.t


  • [15866] No warning when deleting a rotating collection using the toolbar button
  • [15868] Ask for confirmation before deleting MARC modification template action

About the Author

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer ut orci aliquam dui venenatis faucibus. Duis a vestibulum sapien. Proin placerat ac velit hendrerit vestibulum. Sed fermentum ante urna, ut ultrices justo cursus sit amet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer ut orci aliquam dui venenatis faucibus. Duis a vestibulum sapien. Proin placerat ac velit hendrerit vestibulum.

Leave a comment