Advanced search  

News:

cpg1.5.36 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.34 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: cpg1.4.18 Security release - upgrade absolutely mandatory!  (Read 102458 times)

0 Members and 1 Guest are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
cpg1.4.18 Security release - upgrade absolutely mandatory!
« on: April 14, 2008, 09:16:15 AM »

The development team is releasing a security update for Coppermine in order to counter a recently discovered sql injection vulnerability. It is important that all users who run version cpg1.4.17 or older update to this latest version as soon as possible.

This is the only issue addressed in this release.

How to update:
If you are currently running 1.4.17 then you may patch your gallery by replacing your copy of bridge/coppermine.inc.php with the fixed version available here. This is the only issue addressed in this release.
Users running versions prior to 1.4.17 should update immediately by downloading the latest version from the download page page and follow the upgrade steps in the documentation.

Support:
If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

Why was cpg1.4.18 released only few days after the release of cpg1.4.17?
The 1.4.17 patch indeed does not fix the problem - it fixes a different problem, one which this latest attack does not actually exploit. This new release will address the current issue.
That has been corrected in this version 1.4.18.
Version 1.4.18 contains sets of corrections already present in version 1.4.17.

Note: for galleries that have already been infected, it is not enough to upgrade - you'll have to sanitize your website as well. Upgrading will only close the vulnerability, but not the payload of the hack. Please review the thread that discusses the hack for suggestions how to sanitize - do not clutter the announcement thread for the release of cpg1.4.18 with questions/comments on the hack.

Big thanks go to Nibbler who came up with the fix for the vulnerability.

Thanks,
The Coppermine Team
« Last Edit: April 14, 2008, 01:06:55 PM by Joachim Müller »
Logged

maxslug

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: cpg1.4.18 Security release - upgrade absolutely mandatory!
« Reply #1 on: April 19, 2008, 02:06:17 AM »

Please update or delete the 1.4.17 announcement thread to say that it superseded by this update.  otherwise you google the hack, find the 1.4.17 page, update and have the same problems.  thanks!
-m
Logged

Abbas Ali

  • Administrator
  • Coppermine addict
  • *****
  • Country: in
  • Offline Offline
  • Gender: Male
  • Posts: 2165
  • Spread the PHP Web
    • Ranium Systems
Re: cpg1.4.18 Security release - upgrade absolutely mandatory!
« Reply #2 on: April 19, 2008, 11:03:28 AM »

cpg1.4.17 announcement thread updated. Thanks for notifying.
Logged
Chief Geek at Ranium Systems

ammo

  • Coppermine newbie
  • Offline Offline
  • Posts: 8
Re: cpg1.4.18 Security release - upgrade absolutely mandatory!
« Reply #3 on: April 22, 2008, 01:45:36 AM »

The development team is releasing a security update for Coppermine in order to counter a recently discovered sql injection vulnerability. It is important that all users who run version cpg1.4.17 or older update to this latest version as soon as possible.


Note: for galleries that have already been infected, it is not enough to upgrade - you'll have to sanitize your website as well. Upgrading will only close the vulnerability, but not the payload of the hack. Please review the thread that discusses the hack for suggestions how to sanitize - do not clutter the announcement thread for the release of cpg1.4.18 with questions/comments on the hack.

Big thanks go to Nibbler who came up with the fix for the vulnerability.

Thanks,
The Coppermine Team

Where can I find the thread on the hack suggestions?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Logged

Medievaldragon

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: cpg1.4.18 Security release - upgrade absolutely mandatory!
« Reply #5 on: April 24, 2008, 09:14:41 PM »

Alright, I'm a first timer upgrading.  I will follow the instructions. thanks.
« Last Edit: April 24, 2008, 09:25:51 PM by Medievaldragon »
Logged

Pascal YAP

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 13833
  • Hello World :-)
Re: cpg1.4.18 Security release - upgrade absolutely mandatory!
« Reply #6 on: April 24, 2008, 09:24:35 PM »

Quote
how do I upgrade?
Just before your POST, some links for a start ???
And if you had downloaded the Coppermine's package, there's a DOC inside !

PYAP

Logged
! Pas de PM please ! No PM s'il vous plait !

Medievaldragon

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: cpg1.4.18 Security release - upgrade absolutely mandatory!
« Reply #7 on: April 24, 2008, 09:27:29 PM »

Thanks, I am backing up the MySQL right now.
Logged

Hein Traag

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: nl
  • Offline Offline
  • Gender: Male
  • Posts: 2166
  • A, B, Cpg
    • Personal website - Spintires.nl
Re: cpg1.4.18 Security release - upgrade absolutely mandatory!
« Reply #8 on: April 24, 2008, 09:38:41 PM »

Since this is an announcement thread it is now closed. Any questions concerning 1.4.18 ? Open your very own thread and ask away  ;D
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: cpg1.4.18 Security release - upgrade absolutely mandatory!
« Reply #9 on: April 25, 2008, 07:18:42 AM »

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.
Cluttering this thread although the announcement clearly says you mustn't is silly and selfish.
Logged
Pages: [1]   Go Up
 

Page created in 0.07 seconds with 20 queries.