forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Joachim Müller on July 02, 2007, 06:07:13 pm

Title: Maintenance release cpg1.4.12 (security issue) - upgrade mandatory
Post by: Joachim Müller on July 02, 2007, 06:07:13 pm
Coppermine 1.4.12 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently discovered mySQL vulnerability that can lead to disclosure of sensitive information. It is important that all users who run version cpg1.4.10 or older update to this latest version as soon as possible.

To correct the security issue manually, you can apply a fix to include/functions.inc.php. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.11 as well.

To manually fix the vulnerability, edit include/functions.inc.php (using a plain-text editor), find
Code: [Select]
           $aid_str = implode(",",array_keys($alb_pw));and replace with
Code: [Select]
          foreach($alb_pw as $aid => $value) {
            $aid_str .= (int)$aid . ",";
          }

          $aid_str = substr($aid_str, 0, -1);

The following issues have been addressed in this release:
To update any version of Coppermine to version 1.4.12, download (http://prdownloads.sourceforge.net/coppermine/cpg1.4.12.zip?download) the latest version from the download page (http://sourceforge.net/project/showfiles.php?group_id=89658) and follow the upgrade steps in the documentation (http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#upgrade).

If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=59.0). Do not post your issues to this announcement thread - they will be deleted without notice.

Why was cpg1.4.12 released only three days after the release of cpg1.4.11?
The security issue discussed in this thread has been fixed in cpg1.4.11 as well, that's why cpg1.4.11 was released on 2007-06-29. However, the fix that went into cpg1.4.11 had a minor bug (a missing dot). We apologize for any inconvinience that this slight error may have caused. Subsequently, cpg1.4.11 solves the security issue just as well as cpg1.4.12. The only difference is cosmetical - users who have applied cpg1.4.11 already will hardly notice the difference between cpg1.4.11 and cpg1.4.12 - there's no real reason for them to go through the upgrade process again. However: all users who run older versions than cpg1.4.11 need to upgrade to cpg1.4.12 no matter what.

Joachim Müller (aka GauGau)
- Coppermine project manager -