Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: cpg1.4.26 Security release - upgrade mandatory!  (Read 74162 times)

0 Members and 1 Guest are viewing this topic.

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15764
cpg1.4.26 Security release - upgrade mandatory!
« on: January 28, 2010, 11:41:28 am »

The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.4.25 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.4.26 should update immediately by downloading the latest version from the download page and following the upgrade steps in the documentation.

For those who want to apply the vulnerability fix manually to their Coppermine installation, open upload.php, find
Code: [Select]
echo "<tr><td>{$URI_failure_array[$i]['failure_ordinal']} {$URI_failure_array[$i]['URI_name']}</td><td>{$URI_failure_array[$i]['error_code']}</td></tr>";and replace with
Code: [Select]
echo "<tr><td>{$URI_failure_array[$i]['failure_ordinal']} ".htmlentities($URI_failure_array[$i]['URI_name'])."</td><td>{$URI_failure_array[$i]['error_code']}</td></tr>";
Support:
If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.4.26 released?
The release covers a recently discovered input validation vulnerability that allows (if unpatched) a malevolent visitor to include own script routines (thread).

Additionally, cpg1.4.26 includes fixes for the following non-security related issues:
  • Edited vBulletin bridge to reflect changes from vB3.x to vB4.x
  • Added check to plugin manager for version requirements - backported feature from cpg1.5.x (thread)
  • Updated Italian Language file
  • Fixed permission check in crop/rotate wrongly denying access
  • Fixed caching issues with xp publisher
  • Fixed issue with creating albums in xp publisher with MySQL's strict mode enabled
  • Fixed bridge issue when creating albums in xp publisher
  • Updated German language files (added missing strings)
  • Updated MyBB bridge to 1.4
  • Updated Czech language file (user contribution)
  • Updated Slovak language file (user contribution)
  • Updated Italian language file (user contribution)

Thanks to Aditya Mooley for coming up with the fix, and thanks to Ivan Buetler and the GESEC Team for discovering the vulnerability.


Thanks,
The Coppermine Team
« Last Edit: February 01, 2010, 08:15:30 pm by Fabricio Ferrero »
Logged

François Keller

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 9094
  • aka Frantz
    • Ma galerie
Re: cpg1.4.26 Security release - upgrade mandatory!
« Reply #1 on: February 01, 2010, 07:07:42 pm »

French announcement here
Traduction Française ici
Logged
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1996
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/
Re: cpg1.4.26 Security release - upgrade mandatory!
« Reply #2 on: February 01, 2010, 08:29:21 pm »

Spanish Announcement here.
Anuncio en Español aquí.
Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Makc666

  • Translator
  • Coppermine addict
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 1614
  • Русский (ISO-8859-1) - Russian - Ðóññêèé (Windows)
    • Makc's home page
Re: cpg1.4.26 Security release - upgrade mandatory!
« Reply #3 on: February 02, 2010, 09:52:42 pm »

Russian Announcement here.
Объявление на Русском здесь. (ISO-8859-1)
Îáúÿâëåíèå íà Ðóññêîì çäåñü. (Windows-1251)
« Last Edit: February 03, 2010, 10:17:46 am by Makc666 »
Logged
Pages: [1]   Go Up
 

Page created in 0.02 seconds with 19 queries.