The development team is releasing a security update for Coppermine in order to counter a recently discovered injection vulnerability. It is important that all users who run version cpg1.4.18 or older update to this latest version as soon as possible.
This is the only issue addressed in this release.
How to update:
If you are currently running 1.4.18 then you may patch your gallery by replacing your copy of include/functions.inc.php with the fixed version available
here. This is the only security-related issue addressed in this release. Manually fixing the weakness will of course only address the vulnerability, but will not fix the non-security-critical issues that have been taken care of in cpg1.4.19
Users running versions prior to 1.4.18 should update immediately by
downloading the latest version from the
download page page and follow
the upgrade steps in the documentation.
Support:
If you have problems with this update, please use the
Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.
Why was cpg1.4.19 released?The release covers a recently discovered vulnerability that allows (if unpatched) the execution of remote code. Additionally, these non-security related issues have been fixed:
- Danish language file updated
- spacer for empty album list cells fixed
- improper nesting of form-tag in various files fixed
- invalid <f>-tag in upload.php removed
- type translation in reports fixed
- resources consumption for slideshows in meta albums fixed
- hard-coded string "edit keywords" replaced with translation
- Spanish documentation added
- SMF anonymous user fix
- profile email check issue fixed
Big thanks go to EgiX at milw0rm who discovered the vulnerability and Abbas Ali and Nibbler for coming up with the fix.
Thanks,
The Coppermine Team