forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Αndr on January 28, 2010, 11:41:28 am

Title: cpg1.4.26 Security release - upgrade mandatory!
Post by: Αndr on January 28, 2010, 11:41:28 am
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.4.25 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.4.26 should update immediately by downloading (https://sourceforge.net/projects/coppermine/files/Coppermine/1.4.26%20%28stable%29/cpg1.4.26.zip/download) the latest version from the download page (http://sourceforge.net/project/showfiles.php?group_id=89658) and following the upgrade steps in the documentation (http://coppermine.svn.sourceforge.net/viewvc/coppermine/trunk/cpg1.4.x/docs/index.htm#upgrade).

For those who want to apply the vulnerability fix manually to their Coppermine installation, open upload.php, find
Code: [Select]
echo "<tr><td>{$URI_failure_array[$i]['failure_ordinal']} {$URI_failure_array[$i]['URI_name']}</td><td>{$URI_failure_array[$i]['error_code']}</td></tr>";and replace with
Code: [Select]
echo "<tr><td>{$URI_failure_array[$i]['failure_ordinal']} ".htmlentities($URI_failure_array[$i]['URI_name'])."</td><td>{$URI_failure_array[$i]['error_code']}</td></tr>";
Support:
If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=59.0). Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.4.26 released?
The release covers a recently discovered input validation vulnerability that allows (if unpatched) a malevolent visitor to include own script routines (thread (http://forum.coppermine-gallery.net/index.php/topic,63488.0.html)).

Additionally, cpg1.4.26 includes fixes for the following non-security related issues:

Thanks to Aditya Mooley (http://forum.coppermine-gallery.net/index.php?action=profile;u=5957) for coming up with the fix, and thanks to Ivan Buetler and the GESEC Team for discovering the vulnerability.


Thanks,
The Coppermine Team
Title: Re: cpg1.4.26 Security release - upgrade mandatory!
Post by: Franois Keller on February 01, 2010, 07:07:42 pm
French announcement here (http://forum.coppermine-gallery.net/index.php/topic,63564.0.html)
Traduction Franaise ici (http://forum.coppermine-gallery.net/index.php/topic,63564.0.html)
Title: Re: cpg1.4.26 Security release - upgrade mandatory!
Post by: Fabricio Ferrero on February 01, 2010, 08:29:21 pm
Spanish Announcement here. (http://forum.coppermine-gallery.net/index.php/topic,63567.0.html)
Anuncio en Espaol aqu. (http://forum.coppermine-gallery.net/index.php/topic,63567.0.html)
Title: Re: cpg1.4.26 Security release - upgrade mandatory!
Post by: Makc666 on February 02, 2010, 09:52:42 pm
Russian Announcement here (http://forum.coppermine-gallery.net/index.php/topic,58394.msg315815.html#msg315815).
Объявление на Русском здесь (http://forum.coppermine-gallery.net/index.php/topic,58394.msg315815.html#msg315815). (ISO-8859-1)
(http://forum.coppermine-gallery.net/index.php/topic,58394.msg315815.html#msg315815). (Windows-1251)