Advanced search  

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Pages: [1]   Go Down

Author Topic: cpg1.5.26 Security release - upgrade mandatory!  (Read 33702 times)

0 Members and 1 Guest are viewing this topic.

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15764
cpg1.5.26 Security release - upgrade mandatory!
« on: January 11, 2014, 06:23:48 pm »

The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.24 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.5.26 should update immediately by downloading the latest version from the download page and following the upgrade steps in the documentation.

Support:
If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.5.26 released?
The release covers a recently discovered issue which allow users to upload pictures to public albums without permission under certain conditions (thread).
Furthermore, the release covers recently discovered XSS vulnerabilities that allow (if unpatched) a malevolent visitor to include own script routines under certain conditions (thread, thread).

Additionally, cpg1.5.26 includes fixes for the following non-security related issues:
  • Fixed custom menu link icon (thread)
  • Fixed error message when removing favorite pictures (thread)
  • Fixed possible issue when searching for image titles (thread)
  • Optimized admin tools "Update thumbs and/or resized photos" and "Delete original image backup for watermarked images" (thread)
  • Optimized code if 'Show first level album thumbnails in categories' is disabled (thread)
  • Added possibility to choose category thumbnail for user galleries category (thread)
  • Fixed display of quota on profile page if user belongs to more than one group
  • Fixed display of additional groups on profile page if user doesn't belong to more than one group
  • Fixed strict standards warning messages (thread)
  • Added PHP4-replacement of function htmlspecialchars_decode to fix email issues (thread)
  • Extended captcha_plugin_enabled function to distinguish various forms
  • Optimized album thumbnails code to reduce database query count (thread)
  • Fixed typo in plugin writing docs (thread)
  • Updated template plugin to match fixed typo in the docs (thread)
  • Fixed regex check for "The content of the main page" in config (thread)
  • Shuffled thumbnails for meta album "random" instead of sorting them by pid (thread)
  • Fixed docs regarding user quota (thread)
  • Added CSS class "thumbnail" to thumbnail images on thumbnails.php pages (thread)
  • Added CSS class "thumbnail" to album thumbnails (thread)
  • Fixed clickable keyword list content (thread)
  • Removed references to constants THEME_HAS_VANITY_GRAPHICS and THEME_IS_XHTML10_TRANSITIONAL, as they didn't worked as intended
  • Added CSS classes "thumb_title_title", "thumb_title_views", "thumb_title_owner", "thumb_caption_caption", "thumb_caption_msg_date", "thumb_caption_author", "thumb_caption_ctime", "thumb_caption_rating", "thumb_caption_mtime" to thumbnail meta data on thumbnails.php pages (thread)
  • Fixed smiley detection in theme directory (thread)
  • Added constant THEME_HAS_COMMENT_GRAPHICS to use theme-depended images for approve/disapprove/delete/edit/report comments (thread)
  • Updated Czech language file (user contribution)
  • Updated header information to reflect new year
Thanks to rodrigomesquita16 and tay666 for discovering the vulnerabilities.


The Coppermine Team
« Last Edit: January 11, 2014, 06:54:50 pm by Αndré »
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15764
Re: cpg1.5.26 Security release - upgrade mandatory!
« Reply #1 on: January 11, 2014, 09:24:39 pm »

Users running PHP 4, please read this.
Logged
Pages: [1]   Go Up
 

Page created in 0.037 seconds with 20 queries.