Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2   Go Down

Author Topic: cpg1.3.3 released - upgrade strongly recommended  (Read 110394 times)

0 Members and 1 Guest are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
cpg1.3.3 released - upgrade strongly recommended
« on: April 20, 2005, 09:31:09 am »

The coppermine team has released a maintenance version of coppermine v1.3: cpg1.3.3 is the most recent stable version that is strongly recommended to be used. We originally planned to release cpg1.4.x pretty soon, but we were forced to publish the maintenance release first, because possible security issues that relate to cpg1.3.0, cpg1.3.1 and cpg1.3.2 have been discovered:

Coppermine 1.3.3 fixes other minor issues as well - as usual, it's the best coppermine version we could think of - it's recommended to use in production environments.

There are instructions included in the package (in the docs folder) how to upgrade existing installs as well as fresh install instructions - please read the documentation carefully.

Download cpg1.3.3

Joachim
« Last Edit: August 22, 2005, 08:18:31 am by GauGau »
Logged

Nibbler

  • Guest
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #1 on: April 20, 2005, 07:54:07 pm »

For those wishing to fix the XSS security issue without making a full update, here is the change that is required:

file: include/init.inc.php

find:

Code: [Select]
// Record User's IP address
$raw_ip = stripslashes($HTTP_SERVER_VARS['REMOTE_ADDR']);

if (isset($HTTP_SERVER_VARS['HTTP_CLIENT_IP'])) {
    $hdr_ip = stripslashes($HTTP_SERVER_VARS['HTTP_CLIENT_IP']);
} else {
    if (isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'])) {
        $hdr_ip = stripslashes($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR']);
    } else {
        $hdr_ip = $raw_ip;
    }
}

and add after it, the following 2 new lines:

Code: [Select]
if (!preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $raw_ip)) $raw_ip = '0.0.0.0';
if (!preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $hdr_ip)) $hdr_ip = '0.0.0.0';


Please note that a full update is preferable where possible as other issues are also addressed in this update.

Thankyou.
Logged

flog

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 29
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #2 on: April 20, 2005, 08:42:36 pm »

Thank you very much for this important message
Logged

Titooy

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Posts: 736
    • under construction...
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #3 on: April 20, 2005, 11:07:20 pm »

Maybe you should change "Latest downloads ::." on the home page. It still points to cpg1.3.2
Logged

SaigonK

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 59
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #4 on: April 21, 2005, 03:54:32 am »

What other fixes are there?

neodragon

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #5 on: April 21, 2005, 08:53:52 am »

I think one user's gallerry is not shown if there is no public album in it. (for a visitor of course)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #6 on: April 21, 2005, 09:02:37 am »

What other fixes are there?
Roughly: a lot of language files in the cpg1.3.2 contained errors that were fixed in cpg1.3.3; additionally, a vulnerability in the way favorites are handled has been fixed. There are too many fixes to mention them all - please refer to the changelog for exact data and to the postings in the "cpg1.3 testing / bugs" board.

I think one user's gallerry is not shown if there is no public album in it. (for a visitor of course)
This is expected behaviour.

Joachim
Logged

neodragon

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #7 on: April 21, 2005, 10:41:44 am »

This is expected behaviour.

With 1.3.2, i had some users galleries with no public album, that were shown for visitor.

But anyway, it's ok for me. I like this "new" (or not new that's the question  ;D) behavior.
Logged

JTynes

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #8 on: April 21, 2005, 11:03:58 am »

What is the best way to go about an upgrade? Can you simply FTP the new files and run install as before? How does this affect data and MySQL already established. I'd love to find a step by step guide on upgrading? Does one exist?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #9 on: April 21, 2005, 11:11:18 am »

inside the docs that come with the package, as suggested above ::):
There are instructions included in the package (in the docs folder) how to upgrade existing installs as well as fresh install instructions - please read the documentation carefully.
In fact: yes, you upload all new files to your webspace, overwriting the older coppermine files. Make sure to backup before doing so, as you might lose customizations (e.g. anycontent.php or bridging) and you will have to re-apply them after the udpate. Make sure to run update.php as well.

Joachim
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #10 on: April 21, 2005, 11:20:08 pm »

split unrelated topic and moved it to proper board: http://forum.coppermine-gallery.net/index.php?topic=17195.0

@all: do not reply to this thread on particular issues you have with setting up coppermine. This is an announcement thread that is only meant for news to the fix itself (i.e. the security flaws that were fixed with the release). All other issues you may have with cpg1.3.3 should be addressed in the proper board: "CPG 1.3 Standalone Support" and its sub-boards.

Joachim
Logged

cdrake

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 67
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #11 on: April 21, 2005, 11:27:30 pm »

what files have been edited?

Casper

  • VIP
  • Coppermine addict
  • ***
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 5231
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #12 on: April 21, 2005, 11:42:26 pm »

There are too many fixes to mention them all - please refer to the changelog for exact data and to the postings in the "cpg1.3 testing / bugs" board.

It would be much easier to just replace them all, unless you have loads of mods applied.
Logged
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

cdrake

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 67
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #13 on: April 21, 2005, 11:51:47 pm »

Quote
Unless you have loads of mods applied.

 :P :P :P I do

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #14 on: April 21, 2005, 11:57:45 pm »

nearly all, that's why you're suggested to do a full update, not just replacement of 2 or 3 files.
This is a list of the file versions. Compare them to your file versions of your cpg1.3.2 install (the last column in versioncheck.php):
addfav.php1.6
addpic.php1.9
admin.php1.6
albmgr.php1.6
anycontent.php1.6
banning.php1.7
calendar.php1.4
catmgr.php1.7
config.php1.13
db_ecard.php1.5
db_input.php1.9
delete.php1.7
displayecard.php1.6
displayimage.php1.11
ecard.php1.12
editOnePic.php1.12
editpics.php1.8
faq.php1.4
forgot_passwd.php1.6
getlang.php1.6
groupmgr.php1.7
image_processor.php1.5
index.php1.17
install.php1.14
installer.css1.4
login.php1.6
logout.php1.6
modifyalb.php1.7
phpinfo.php1.6
picEditor.php1.4
profile.php1.7
ratepic.php1.6
register.php1.11
reviewcom.php1.6
search.php1.6
searchnew.php1.10
showthumb.php1.6
thumbnails.php1.6
update.php1.9
upgrade-1.0-to-1.2.php1.7
upload.php1.14
usermgr.php1.7
util.php1.13
versioncheck.php1.8
xp_publish.php1.8
zipdownload.php1.5
bridge/invisionboard.inc.php1.9
bridge/phpbb.inc.php1.11
bridge/punbb.inc.php1.3
bridge/smf.inc.php1.8
bridge/vbulletin.inc.php1.7
bridge/vbulletin23.inc.php1.7
bridge/vbulletin30.inc.php1.8
bridge/vbulletin3gamma.inc.php1.6
bridge/woltlab21.inc.php1.7
bridge/yabbse.inc.php1.9
include/archive.php1.4
include/crop.inc.php1.5
include/exif_php.inc.php1.7
include/exifReader.inc.php1.4
include/functions.inc.php1.24
include/imageObjectGD.class.php1.5
include/imageObjectIM.class.php1.4
include/init.inc.php1.15
include/iptc.inc.php1.4
include/mailer.inc.php1.6
include/media.functions.inc.php1.4
include/picmgmt.inc.php1.10
include/search.inc.php1.6
include/select_lang.inc.php1.7
include/slideshow.inc.php1.9
include/smilies.inc.php1.6
include/sql_parse.php1.6
lang/arabic.php1.11
lang/arabic-utf-8.php1.12
lang/brazilian_portuguese.php1.9
lang/brazilian_portuguese-utf-8.php1.10
lang/bulgarian.php1.6
lang/bulgarian-utf-8.php1.8
lang/catalan.php1.6
lang/catalan-utf-8.php1.7
lang/chinese_big5.php1.11
lang/chinese_big5-utf-8.php1.12
lang/chinese_gb.php1.11
lang/chinese_gb-utf-8.php1.12
lang/croatian.php1.9
lang/croatian-utf-8.php1.10
lang/czech.php1.10
lang/czech-utf-8.php1.11
lang/danish.php1.11
lang/danish-utf-8.php1.11
lang/dutch.php1.10
lang/dutch-utf-8.php1.11
lang/english.php1.18
lang/english-utf-8.php1.13
lang/estonian.php1.10
lang/estonian-utf-8.php1.11
lang/finnish.php1.7
lang/finnish-utf-8.php1.8
lang/french.php1.15
lang/french-utf-8.php1.14
lang/german.php1.13
lang/german-utf-8.php1.13
lang/german_sie.php1.4
lang/german_sie-utf-8.php1.4
lang/greek.php1.8
lang/greek-utf-8.php1.9
lang/hebrew.php1.9
lang/hebrew-utf-8.php1.11
lang/hungarian.php1.8
lang/hungarian-utf-8.php1.9
lang/indonesian.php1.7
lang/indonesian-utf-8.php1.8
lang/italian.php1.10
lang/italian-utf-8.php1.11
lang/italian2.php1.3
lang/italian2-utf-8.php1.4
lang/japanese.php1.9
lang/japanese-utf-8.php1.10
lang/kurdish.php1.2
lang/kurdish-utf-8.php1.3
lang/latvian.php1.10
lang/latvian-utf-8.php1.12
lang/malay.php1.3
lang/malay-utf-8.php1.4
lang/norwegian.php1.9
lang/norwegian-utf-8.php1.10
lang/polish.php1.6
lang/polish-utf-8.php1.8
lang/romanian.php1.7
lang/romanian-utf-8.php1.8
lang/romanian_no_diacritics.php1.2
lang/romanian_no_diacritics-utf-8.php1.3
lang/russian.php1.13
lang/russian-utf-8.php1.14
lang/slovak.php1.5
lang/slovak-utf-8.php1.6
lang/slovenian.php1.7
lang/slovenian-utf-8.php1.8
lang/spanish.php1.7
lang/spanish-utf-8.php1.9
lang/swedish.php1.9
lang/swedish-utf-8.php1.10
lang/turkish.php1.8
lang/turkish-utf-8.php1.9
lang/uighur.php1.3
lang/uighur-utf-8.php1.4
lang/vietnamese.php1.5
lang/vietnamese-utf-8.php1.6
sql/basic.sql1.8
sql/schema.sql1.4
sql/update.sql1.14
themes/classic/style.css1.2
themes/classic/template.html1.2
themes/classic/theme.php1.8
themes/eyeball/style.css1.3
themes/eyeball/template.html1.5
themes/eyeball/theme.php1.10
themes/fruity/style.css1.3
themes/fruity/template.html1.6
themes/fruity/theme.php1.9
themes/hardwired/style.css1.3
themes/hardwired/template.html1.7
themes/hardwired/theme.php1.12
themes/igames/style.css1.3
themes/igames/template.html1.6
themes/igames/theme.php1.11
themes/mac_ox_x/style.css1.3
themes/mac_ox_x/template.html1.5
themes/mac_ox_x/theme.php1.10
themes/project_vii/style.css1.3
themes/project_vii/template.html1.5
themes/project_vii/theme.php1.10
themes/rainy_day/style.css1.3
themes/rainy_day/template.html1.7
themes/rainy_day/theme.php1.10
themes/water_drop/style.css1.3
themes/water_drop/template.html1.5
themes/water_drop/theme.php1.10


It would be much easier to just replace them all, unless you have loads of mods applied.
:P :P :P I do
It's generally a drawback of heavily modifying any web app: upgrading gets harder. Use a diff viwer like winmerge to handle your mods issue.

Joachim
« Last Edit: April 22, 2005, 12:03:04 am by GauGau »
Logged

cdrake

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 67
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #15 on: April 22, 2005, 03:39:56 am »

Thanks for the help. WinMerge is a great tool!

nanothree

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 70
    • RockThoseLocks
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #16 on: April 22, 2005, 11:24:49 am »

will this mess up my phpBB bridge?
Logged

Nibbler

  • Guest
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #17 on: April 22, 2005, 01:11:46 pm »

You'll have to redo the integration steps, that's all.
Logged

Makc666

  • Translator
  • Coppermine addict
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 1608
  • Русский (ISO-8859-1) - Russian - Ğóññêèé (Windows)
    • Makc's home page
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #18 on: April 23, 2005, 03:25:45 am »

========================
Step 0.
All steps were made under FreeBSD.
You can read about patch here:
http://www.phpbb.com/support/documents.php?mode=install#upgradeSTABLE_patch

========================
Step 1.
First of all!
I removed
/cpg132/lang/
/cpg133/lang/
dirs before patching, as it:
- becomes to big
- there is problems with patching in Japan (etc. country) languages.
- you can update lang files manually

========================
Step 2.
Second I run:
diff -crbBN cpg132 cpg133 >cpg-1.3.2_to_1.3.3.patch

========================
Step 3.
Then I made a copy of gallery folder which I was going to patch
cp -R coppermine coppermine-new

========================
Step 4.
Also you must have to copy these files into your directory.
/coppermine/CHANGELOG
/coppermine/COPYING
/coppermine/install.php

You can take them from cpg1.3.2.zip, as you need old one:
http://prdownloads.sourceforge.net/coppermine/cpg1.3.2.zip?download

========================
Step 5.
Put your patch file into:
/coppermine-new/cpg-1.3.2_to_1.3.3.patch

========================
Step 6.
patch -cl -d /coppermine-new/ -p1 < /coppermine-new/cpg-1.3.2_to_1.3.3.patch
In this case you will see all results on your screen.
So make your Scroll Buffer big enough.
It will be about 1200 lines!

========================
Step 7.
Update your
/coppermine/lang/
dir with necessary files.
For example I use only Eng, Ger, Rus.

###########################
###!!! READ THIS ONE !!!###
###########################
During patch process you will (can) see two main information strings:
--> Hunk #3 succeeded at 216.
--> Hunk #1 failed at 1.

Example below.
Word "succeeded" means that there is no problems with patching of that part of code.
Word "failed" means there was some problem.

If you see "failed" for some file, you have to open file with name "FILENAME_WITH_ERROR.rej"
below for example it is "zipdownload.php.rej"
and look what the patch couldn't change and fix that manually.

After all such fixes you will have to delete all *.rej and *.orig files from coppermine directory and subdirs!

Word "done" means that patch go throw all "cpg-1.3.2_to_1.3.3.patch" file.

###########################
###### EXAMPLE START ######
###########################

--------------------------
|diff -crbBN cpg132/xp_publish.php cpg133/xp_publish.php
|*** cpg132/xp_publish.php      Sat Jul 24 17:03:00 2004
|--- cpg133/xp_publish.php      Tue Apr 19 05:17:00 2005
--------------------------
Patching file xp_publish.php using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 205.
Hunk #3 succeeded at 216.
Hunk #4 succeeded at 333.
Hunk #5 succeeded at 571.
Hmm...  The next patch looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|diff -crbBN cpg132/zipdownload.php cpg133/zipdownload.php
|*** cpg132/zipdownload.php     Sat Jul 24 17:03:00 2004
|--- cpg133/zipdownload.php     Tue Apr 19 05:17:00 2005
--------------------------
Patching file zipdownload.php using Plan A...
Hunk #1 failed at 1.
Hunk #2 succeeded at 57.
1 out of 2 hunks failed--saving rejects to zipdownload.php.rej
done

###########################
###### EXAMPLE END ########
###########################

========================
Step 8.
Run: http://your.gallery.com/update.php

- If you have not already done so, create a folder called "edit" within your "albums" directory - this folder will be used by coppermine as a temporary folder, do not ftp-upload files there. Make sure the new "edit"-folder is CHMODed the same way your albums-directory is (755 or 777, depending on your server's config)
- Run the file "update.php" in the coppermine directory once in your browser (e.g. http://yourdomain.tld/coppermine/update.php). This will update your coppermine install by making all necessary changes in the database.

Taken from:
/cpg133/docs/index.htm#13
3.4 Upgrading from cpg1.2.0rc2 or better to version cpg1.3.3

========================
That it!
(c) Makc666 :)

makc666 [at] newmail.ru
makc666 [at] yahoo.com
« Last Edit: April 23, 2005, 03:33:49 am by Makc666 »
Logged

nanothree

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 70
    • RockThoseLocks
Re: cpg1.3.3 released - upgrade strongly recommended
« Reply #19 on: April 23, 2005, 10:26:50 am »

thanks Makc666
Logged
Pages: [1] 2   Go Up
 

Page created in 0.041 seconds with 21 queries.