Koha Security Upgrade

The Koha release team has announced a security release. The following Koha versions were released on 29 August:

  • Koha 17.05.03
  • Koha 16.11.11
  • Koha 16.05.16


These releases contain patches to correct a number of cross-site scripting (XSS) vulnerabilities.

All CALYX hosted clients have been upgraded to Koha version 16.11.11. The upgrade was performed late on Sunday 3 September. No action is needed on the part of hosted libraries.

Non-hosted clients are advised to upgrade.

Versions of Koha prior to 16.05 are no longer supported by the Koha project. Users of earlier versions should upgrade.

Why is your hosted Koha upgraded so frequently?

The Koha project has a major feature release each May and November and a maintenance release every other month. Security releases may be additional to regularly scheduled releases or may coincide with a regular release. CALYX’ policy is to apply security releases promptly and otherwise to upgrade to each major feature release with a delay of 4 to 7 months, depending on the characteristics of the release. In this way we provide clients with access to the latest Koha features whilst ensuring the software deployed has been tried and tested and found to be stable.

Moreover, keeping software up to date, at both the server and application level, is vital to security. For example, the recent Petya and Wannacry ransom-ware attacks exploited vulnerabilities in the Microsoft operating system for which patches were available but had not been applied to many systems around the world.

Regular upgrades:

  • provide access to new features and improvements;
  • maximise the security of your Koha application by ensuring the latest security patches are included in the software;
  • remove the drama from upgrades and ensure that any issues are manageable, by providing incremental improvement rather than large leaps forward.


For hosted clients, the next upgrade is likely to be to Koha 17.05 and can be expected before the end of the year.

Introducing Hea

Hea is a Koha community website that displays Koha ILS usage statistics. Find it here.

Documentation about Hea is found here.

Hea has the potential to provide useful information such as where Koha installations are located, what types of libraries use Koha and what their scale is. There is a page showing the way libraries set their system preferences which can provide useful guidance to other libraries.

Each Koha library can decide whether to send data to Hea. The data collection is activated by setting system preferences on the Administration tab of the system preferences page. Each library can decide whether to share its data anonymously or to have its name, type and OPAC URL displayed on the Hea website.

Its estimated there are 15,000 Koha installations world wide. So far only 817 are sharing their data with Hea, so there is some way to go to make the data authoritative.

CALYX will be writing separately to hosted clients to assess your interest in contributing to this growing data store.

OPAC Reset Password

For users of the Koha OPAC, a Password Recovery feature was added in Koha 16.05. Note that this feature can only be used by libraries with ‘email cronjobs’ enabled. If your library is hosted by CALYX and you don’t know whether ‘email cronjobs’ are running, simply contact us. The feature is also not of benefit to libraries using single sign-on, whether via a directory, SAML or Google login.

To activate this feature, navigate to the OPAC system preferences tab and set ‘OPACResetPassword’ to ‘allowed’. The library must also set up a notice that is sent to users who activate a request. Edit the ‘Password Reset’ template on the Notices and Slips page (Tools menu).

Thereafter, when an OPAC user clicks on ‘Log in to your account’, then below the Login and Password entry fields there will be a link labelled ‘Forgot your password?’. When the user clicks that link they are prompted for their username and email address. An email notice is then sent to the user who must click on a link to reset their password.

If you require assistance to set up this feature, contact CALYX.

Koha Tip: Adding Images to News Items

Recently a client asked: “Now if we want to add an image, mostly .jpgs, can we do that in the same piece of news?”

The answer is Yes. You’ll need to store the image somewhere that is web accessible. We can store it for you if you wish and we’ll provide you with the URL.

Then, use HTML within the News box. Enclose your News item in html tags and use a link tag to access the image.

Can’t write with HTML? Use this guide: http://www.w3schools.com/html/default.asp or ask CALYX for assistance.

Koha Off-line Circulation

Do you have a plan for managing circulation if your Koha system is unavailable for any period of time? For smaller libraries, an A4 page ruled into four columns may be adequate: borrower cardnumber; item barcode; transaction type (reserve, issue, renew, return); and a checkbox to record that you have manually entered the transaction to Koha when the system came up again. Be sure to process transactions in the order they occurred (otherwise you may lend a book before recording another user’s reservation of it, for example).

What should larger libraries do? Koha offers three approaches:

  • counter-intuitively, you can do off-line circulation in Koha, but this requires prior setup and we recommend regular testing before a real situation arises;
  • there is a plug-in for the Firefox web browser that provides another tool;
  • there is a Windows application that can be installed on your local computer.


All these approaches offer some automation of the recovery of transactions when Koha comes back on line.

All three approaches are described in the Koha manual.

If you require assistance to plan or implement an off line circulation system, please contact us.

Koha System Preferences

Koha now has in excess of 500 system preferences. New system preferences are added in every major feature release. Generally, for new Koha features, the default setting for the system preference is ‘off’. That is, new functionality is not forced onto users but is there to be turned on when the library has the need and is ready.

For Koha systems that have been installed for a number of years, there can be a range of new features that are not being utilised due to the relevant system preferences not being activated.

Do you wish to extend the functionality of Koha or to find new workflows to improve the efficiency of library operations? CALYX is able to quickly review your system preference settings and make beneficial recommendations. Is it time for a review? If so, please contact us.

Best wishes from
CALYX information essentials