No Support > Announcements

Maintenance release cpg1.4.8 fixes severe security issue

(1/4) > >>

Joachim Müller:
The Coppermine dev team announces the release of cpg1.4.8.

Coppermine 1.4.8 is different from yesterday's release of 1.4.7 by only one fix.  Coppermine 1.4.7 included a bug fix that was unfortunately not tested thoroughly and caused a serious stability issue for those who use the "Last Updated Albums" feature in Coppermine.  See the bug report here.  If you installed Coppermine 1.4.7, please upgrade to 1.4.8 immediately even if you don't use the "Last Updated Albums" feature because you might in the future.

This one fix is the *only* difference between 1.4.8 and 1.4.7.

The rest of this announcement refers to fixes added in 1.4.7, including the mandatory fix for the security vulnerability.

The new release does not contain additional new features (compared to previous versions of cpg1.4.x), but contains fixes for several minor issues. The reason for the release of this package is the discovery of a bug in previous Coppermine versions. All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder).
It's mandatory to upgrade any previous versions, as the impact of the vulnerability that led to this new release is high!

So far there have been no reports of an exploit of the vulnerability, so the Coppermine dev team decided not to post instructions for a manual fix to prevent wannabe-hackers from getting an idea how to create an exploit. This will of course not prevent a determined, skilled person to come up with a hack, so you better upgrade now.

The new package contains all language files that existed up till now.

Get the new release cpg1.4.8 here: http://prdownloads.sourceforge.net/coppermine/cpg1.4.8.zip?download

For those who are reluctant to spend the time & effort to upgrade heavily-modded galleries, you still *must* address this serious vulnerability.  A sufficient fix for this vulnerability would be to download the 1.4.8 package or use the copy of usermgr.php that is attached to this thread and replace your usermgr.php with the new one. For the future, please consider keeping track of your mods so you can properly upgrade to newer versions.  And consider using or creating plugins for mods as they do not modify the core scripts.

The maintenance release cpg1.4.8 of course contains all previous fixes of the 1.4.x-series as well as several minor issues that have been reported on the bugs board. Please review the changelog that comes with the package for details.

Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice.
If you have issues with upgrading your coppermine install, post on the cpg1.4.x upgrading sub-board (after having read the docs and after having searched the board).

Joachim Mueller
- Coppermine project manager -

adrianbj:
Thanks for the additional update, but i think you forgot to attach the new 1.4.8 version of usermgr.php

Adrian

PS The download link you posted is not working either

adrianbj:
Here is usermgr.php version 1.4.8

edit (by Paver): Thanks for the assistance.  I have added the file above, so have deleted yours here.

Paver:
It takes a little time for Sourceforge to propagate the file to the various mirrors.  Try different ones or try later.

Paver:
For those running 1.3.x galleries, you are strongly recommended to upgrade to 1.4.8.  The documentation clearly describes the upgrade from 1.3.x to 1.4.8 (link), including converting any custom 1.3 themes to the improved 1.4 theme system.  Most of the popular themes have already been converted and are browseable in the demo.  Many of the mods for 1.3 have been rewritten for 1.4, with some of them being rewritten into plugins.  The new plugins system allows you to modify Coppermine without hacking the core scripts, so upgrades are very easy.

We remind you that the Coppermine 1.3 series will soon go *unsupported* and only security vulnerabilities will be addressed in this series.

Immediately patch your 1.3.x gallery using the usermgr.php file attached to this post.  Replace your current file with this new one.

Once again, please consider upgrading.  The dev team and all the supporters and contributors are working hard to make sure the latest Coppermine version is the greatest one and at the same time is completely comfortable for 1.3 users.  Test drive the current version in the demo and take the time to upgrade your 1.3.x gallery.

Navigation

[0] Message Index

[#] Next page