Maintenance release cpg1.4.14 (security-related) - upgrade mandatory

[Joachim Müller]

Coppermine 1.4.14 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently discovered cross-site-scripting vulnerability. It is important that all users who run version cpg1.4.13 or older update to this latest version as soon as possible.

To correct the security issue manually, you can apply the fixes mentioned below. Please note that applying the manual fixes will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.14 as well.

Manual fix (not recommended):
To manually fix the vulnerability, edit displayecard.php, find

Code:

foreach($data as $key => $value) $data[$key] = html_entity_decode(strtr($value, $HTML_SUBST));

and replace with

Code:

foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);

The following issues have been addressed in this release (changelog excerpt):

• 2007-11-07 Release of cpg1.4.14
• 2007-10-31 Removed html_entity_decode causing potential XSS vulnerability as discussed in http://forum.coppermine-gallery.net/index.php?topic=47390.0 (dev-only)
• 2007-09-17 Fixed usergroups-bug in bridge file for SMF2.0 (user contribution)

How to update:
To update any version of Coppermine to version 1.4.14, download the latest version from the download page and follow the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

Our thanks go to Nicolas Le Gland who reported the vulnerabilities and gave us the opportunity to prepare this release.

Joachim Müller (aka GauGau)
- Coppermine project manager -

[flinsy]

Download page don't work...
Text appear in the link.
File Not found
File: cpg1.4.14.zip not found.
To go back to the project page for coppermine click here
Click here for documentation about the download process on sf.net.

[TranzNDance]

Confirmed. I tried all US mirrors, and one in UK with various failure messages but failed nonetheless.

[François Keller]

works for me (miror in ireland)

[Joachim Müller]

We apologize for the inconvinience, but this is an issue of sourceforge.net (hopefully only temporary). If a mirror doesn't work for you, try another one. If all mirrors fail on your continent, pick another continent. If this fails as well, please try again later. I can confirm that sourceforge.net currently appears to have issues with their mirroring system (although their status page doesn't list any issues yet).
I have created a temporary mirror on my personal page (that I will remove later once the issues of sourceforge.net have been fixed by their staff) - preliminary mirror is http://gaugau.de/cpg1414.zip
Please understand that issues with the download pages of our host sourceforge.net (who provide outstanding, free services for 100,000+ open source projects btw.) can not be discussed in this thread; this thread deals with the maintenance release cpg1.4.14 (why it has been released) to alert all coppermine users of the new version. It does not deal with temporary issues that our webhost may have.

[abossola]

is there  way to get on an email list for these upfrade announcments?

[François Keller]

no, the 1.5 version will provide and annoncement (news) box. But you must be patient

[abossola]

why not, for now, have a forum thread/caegory that is called "upgrade announcements" and for users that select "notify" on that thread would get the annoucnement. As long as no replies are set in that thread and then no problem right?

thansk so much for the reply

[TranzNDance]

This thread is in an Announcements board which has a notify option. That's about as close as we can get to what you are suggesting without adding yet another board.

[Joachim Müller]

is there  way to get on an email list for these upfrade announcments?

Your reply doesn't qualify as valid reply to this announcement. Stop cluttering this thread.

[MatthewSchenker]

no, the 1.5 version will provide and annoncement (news) box. But you must be patient

I am running 1.4.11 right now and will wait for 1.5.  Is there a discussion about 1.5 progress that I can follow online?

[Hein Traag]

I am running 1.4.11 right now and will wait for 1.5.  Is there a discussion about 1.5 progress that I can follow online?

Upgrade to 1.4.14 asap. CPG 1.5 is cooking in the oven, no date set for when it has to be ready. Be patient, don't clutter a announcement thread and update your cpg asap.

[Joachim Müller]

@Matthew: you have been warned before. This is the last warning. Your next slightest act of disrespecting board rules and common sense will lead to your permanent ban.

[MatthewSchenker]

@Matthew: you have been warned before. This is the last warning. Your next slightest act of disrespecting board rules and common sense will lead to your permanent ban.

What are you attacking me for?  I just asked an innocent question.  You make things difficult for yourself when you get so upset about every little thing.

[Joachim Müller]

What are you attacking me for? 

For cluttering an announcement thread with your individual issues, although the initial posting clearly says that you mustn't. This thread deals with the release of cpg1.4.14. It does not deal with cpg1.5.x, which is what you have asked. So you broke board rules once more. Additionally, you sent unsoliticed PMs to other devs, which is another breach of board rules.
It's because people like you why we have to lock all sticky announcement threads, taking away the possibility to allow others to post legitimate comments on sticky threads (postings that deal with the actual issue the sticky announcement thread is about). So once again I have to lock an announcement thread, which is what I'm doing now. *sigh*
You have repeatedly misbehaved by not respecting board rules (you're welcome to review the threads that contain your previous postings, but I'm not going to loop through all your posting to summarize where you misbehaved). It's part of my job to remind users of board rules if they break it. I am not attacking you personally because I feel like it, I just do my job. You blatantly showed another time your misrespect of board rules by cluttering this thread even after having been told to stop it and shut up, so this leaves me with only one option left: you're being banned. As you already have been banned temporarily, yet you haven't learned anything from that, so this ban is permanent. Goodbye. Don't dare to re-register.