The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.26 or older update to this latest version as soon as possible.How to update
Users running versions prior to 1.5.28 should update immediately by downloading
the latest version from the download page
and following the upgrade steps in the documentation
If you have problems with this update, please use the Update support board
. Do not post your issues to this announcement thread - your post will be deleted without notice.Why was cpg1.5.28 released?
The release covers a recently discovered XSS vulnerability that allows (if unpatched) a malevolent visitor to include own script routines under certain conditions.
Additionally, cpg1.5.28 includes fixes for the following non-security related issues:
- Fixed misleading template error message
- Fixed display of keywords with special characters (thread)
- Removed duplicate page header if error occurs when deleting an album
- Added hidden feature to regard upload time of linked files in album info (thread)
- Fixed reference to documentation in config
- Fixed various documentation glitches
- Optimized main page code to reduce database query count
- Fixed album and file count if category contains private albums
- Updated known issues page
- Fixed album and file count if category contains currently not displayed sub-categories (thread, thread)
- Moved config options "Horizontal/vertical padding for full-size pop-up", "Albums can be private" and "Show private album icon to unlogged user" to other groups
- Don't redirect to registration form after login (thread)
- Added possibility to use pictures linked to albums via album keyword as category thumbnail (thread)
- Fixed function 'starttable' in theme 'curve' to make fully compatible with plugin hook 'search_form'
- Updated Catalan language file (user contribution)
- Added plugin hook 'theme_thumbnails_header'
- Added plugin hooks 'comment_update', 'comment_add' and 'comment_approve' (thread)
- Increased character limit to allow recently released top level domains (thread)
- Added function 'theme_album_info' to make information which is displayed next to each album themeable
- Fixed several issues with keywords manager
- Fixed utilization of CSS class 'middlethumb' on film strip (thread)
- Updated packaging docs
The Coppermine Team