Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory  (Read 132639 times)

0 Members and 1 Guest are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de

Coppermine 1.4.14 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently discovered cross-site-scripting vulnerability. It is important that all users who run version cpg1.4.13 or older update to this latest version as soon as possible.

To correct the security issue manually, you can apply the fixes mentioned below. Please note that applying the manual fixes will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.14 as well.

Manual fix (not recommended):
To manually fix the vulnerability, edit displayecard.php, find
Code: [Select]
foreach($data as $key => $value) $data[$key] = html_entity_decode(strtr($value, $HTML_SUBST));and replace with
Code: [Select]
foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);

The following issues have been addressed in this release (changelog excerpt):

How to update:
To update any version of Coppermine to version 1.4.14, download the latest version from the download page and follow the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

Our thanks go to Nicolas Le Gland who reported the vulnerabilities and gave us the opportunity to prepare this release.

Joachim Müller (aka GauGau)
- Coppermine project manager -
« Last Edit: November 06, 2007, 09:23:16 am by GauGau »
Logged

flinsy

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 13
    • Arte Histriónico y Lúdico
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #1 on: November 21, 2007, 03:54:55 am »

Download page don't work...
Text appear in the link.
File Not found
File: cpg1.4.14.zip not found.
To go back to the project page for coppermine click here
Click here for documentation about the download process on sf.net.
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #2 on: November 21, 2007, 06:27:10 am »

Confirmed. I tried all US mirrors, and one in UK with various failure messages but failed nonetheless.
Logged

François Keller

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 9094
  • aka Frantz
    • Ma galerie
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #3 on: November 21, 2007, 07:08:05 am »

works for me (miror in ireland)
Logged
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #4 on: November 21, 2007, 09:09:56 am »

We apologize for the inconvinience, but this is an issue of sourceforge.net (hopefully only temporary). If a mirror doesn't work for you, try another one. If all mirrors fail on your continent, pick another continent. If this fails as well, please try again later. I can confirm that sourceforge.net currently appears to have issues with their mirroring system (although their status page doesn't list any issues yet).
I have created a temporary mirror on my personal page (that I will remove later once the issues of sourceforge.net have been fixed by their staff) - preliminary mirror is http://gaugau.de/cpg1414.zip
Please understand that issues with the download pages of our host sourceforge.net (who provide outstanding, free services for 100,000+ open source projects btw.) can not be discussed in this thread; this thread deals with the maintenance release cpg1.4.14 (why it has been released) to alert all coppermine users of the new version. It does not deal with temporary issues that our webhost may have.
Logged

abossola

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #5 on: November 22, 2007, 04:53:24 pm »

is there  way to get on an email list for these upfrade announcments?
Logged

François Keller

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 9094
  • aka Frantz
    • Ma galerie
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #6 on: November 22, 2007, 05:31:22 pm »

no, the 1.5 version will provide and annoncement (news) box. But you must be patient
Logged
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

abossola

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #7 on: November 22, 2007, 05:45:31 pm »

why not, for now, have a forum thread/caegory that is called "upgrade announcements" and for users that select "notify" on that thread would get the annoucnement. As long as no replies are set in that thread and then no problem right?

thansk so much for the reply
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #8 on: November 22, 2007, 08:29:15 pm »

This thread is in an Announcements board which has a notify option. That's about as close as we can get to what you are suggesting without adding yet another board.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #9 on: November 23, 2007, 08:30:54 am »

is there  way to get on an email list for these upfrade announcments?
Your reply doesn't qualify as valid reply to this announcement. Stop cluttering this thread.
Logged

MatthewSchenker

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 38
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #10 on: November 30, 2007, 03:03:46 pm »

no, the 1.5 version will provide and annoncement (news) box. But you must be patient

I am running 1.4.11 right now and will wait for 1.5.  Is there a discussion about 1.5 progress that I can follow online?
Logged

Hein Traag

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: nl
  • Offline Offline
  • Gender: Male
  • Posts: 2166
  • A, B, Cpg
    • Personal website - Spintires.nl
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #11 on: November 30, 2007, 04:57:08 pm »

I am running 1.4.11 right now and will wait for 1.5.  Is there a discussion about 1.5 progress that I can follow online?

Upgrade to 1.4.14 asap. CPG 1.5 is cooking in the oven, no date set for when it has to be ready. Be patient, don't clutter a announcement thread and update your cpg asap.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #12 on: November 30, 2007, 06:05:02 pm »

@Matthew: you have been warned before. This is the last warning. Your next slightest act of disrespecting board rules and common sense will lead to your permanent ban.
Logged

MatthewSchenker

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 38
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #13 on: November 30, 2007, 11:17:55 pm »

@Matthew: you have been warned before. This is the last warning. Your next slightest act of disrespecting board rules and common sense will lead to your permanent ban.

What are you attacking me for?  I just asked an innocent question.  You make things difficult for yourself when you get so upset about every little thing.
« Last Edit: November 30, 2007, 11:46:40 pm by MatthewSchenker »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Maintenance release cpg1.4.14 (security-related) - upgrade mandatory
« Reply #14 on: December 03, 2007, 08:17:07 am »

What are you attacking me for? 
For cluttering an announcement thread with your individual issues, although the initial posting clearly says that you mustn't. This thread deals with the release of cpg1.4.14. It does not deal with cpg1.5.x, which is what you have asked. So you broke board rules once more. Additionally, you sent unsoliticed PMs to other devs, which is another breach of board rules.
It's because people like you why we have to lock all sticky announcement threads, taking away the possibility to allow others to post legitimate comments on sticky threads (postings that deal with the actual issue the sticky announcement thread is about). So once again I have to lock an announcement thread, which is what I'm doing now. *sigh*
You have repeatedly misbehaved by not respecting board rules (you're welcome to review the threads that contain your previous postings, but I'm not going to loop through all your posting to summarize where you misbehaved). It's part of my job to remind users of board rules if they break it. I am not attacking you personally because I feel like it, I just do my job. You blatantly showed another time your misrespect of board rules by cluttering this thread even after having been told to stop it and shut up, so this leaves me with only one option left: you're being banned. As you already have been banned temporarily, yet you haven't learned anything from that, so this ban is permanent. Goodbye. Don't dare to re-register.
Logged
Pages: [1]   Go Up
 

Page created in 0.026 seconds with 20 queries.