Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Maintenance release cpg1.4.8 fixes severe security issue  (Read 131082 times)

0 Members and 1 Guest are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Maintenance release cpg1.4.8 fixes severe security issue
« on: June 08, 2006, 01:48:31 am »

The Coppermine dev team announces the release of cpg1.4.8.

Coppermine 1.4.8 is different from yesterday's release of 1.4.7 by only one fix.  Coppermine 1.4.7 included a bug fix that was unfortunately not tested thoroughly and caused a serious stability issue for those who use the "Last Updated Albums" feature in Coppermine.  See the bug report here.  If you installed Coppermine 1.4.7, please upgrade to 1.4.8 immediately even if you don't use the "Last Updated Albums" feature because you might in the future.

This one fix is the *only* difference between 1.4.8 and 1.4.7.

The rest of this announcement refers to fixes added in 1.4.7, including the mandatory fix for the security vulnerability.

The new release does not contain additional new features (compared to previous versions of cpg1.4.x), but contains fixes for several minor issues. The reason for the release of this package is the discovery of a bug in previous Coppermine versions. All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder).
It's mandatory to upgrade any previous versions, as the impact of the vulnerability that led to this new release is high!

So far there have been no reports of an exploit of the vulnerability, so the Coppermine dev team decided not to post instructions for a manual fix to prevent wannabe-hackers from getting an idea how to create an exploit. This will of course not prevent a determined, skilled person to come up with a hack, so you better upgrade now.

The new package contains all language files that existed up till now.

Get the new release cpg1.4.8 here: http://prdownloads.sourceforge.net/coppermine/cpg1.4.8.zip?download

For those who are reluctant to spend the time & effort to upgrade heavily-modded galleries, you still *must* address this serious vulnerability.  A sufficient fix for this vulnerability would be to download the 1.4.8 package or use the copy of usermgr.php that is attached to this thread and replace your usermgr.php with the new one. For the future, please consider keeping track of your mods so you can properly upgrade to newer versions.  And consider using or creating plugins for mods as they do not modify the core scripts.

The maintenance release cpg1.4.8 of course contains all previous fixes of the 1.4.x-series as well as several minor issues that have been reported on the bugs board. Please review the changelog that comes with the package for details.

Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice.
If you have issues with upgrading your coppermine install, post on the cpg1.4.x upgrading sub-board (after having read the docs and after having searched the board).

Joachim Mueller
- Coppermine project manager -
« Last Edit: June 22, 2006, 03:27:09 am by Paver »
Logged

adrianbj

  • Contributor
  • Coppermine novice
  • ***
  • Offline Offline
  • Posts: 34
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #1 on: June 08, 2006, 01:56:26 am »

Thanks for the additional update, but i think you forgot to attach the new 1.4.8 version of usermgr.php

Adrian

PS The download link you posted is not working either
Logged

adrianbj

  • Contributor
  • Coppermine novice
  • ***
  • Offline Offline
  • Posts: 34
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #2 on: June 08, 2006, 02:03:52 am »

Here is usermgr.php version 1.4.8

edit (by Paver): Thanks for the assistance.  I have added the file above, so have deleted yours here.
« Last Edit: June 08, 2006, 02:06:06 am by Paver »
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #3 on: June 08, 2006, 02:06:39 am »

It takes a little time for Sourceforge to propagate the file to the various mirrors.  Try different ones or try later.
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.

For those running 1.3.x galleries, you are strongly recommended to upgrade to 1.4.8.  The documentation clearly describes the upgrade from 1.3.x to 1.4.8 (link), including converting any custom 1.3 themes to the improved 1.4 theme system.  Most of the popular themes have already been converted and are browseable in the demo.  Many of the mods for 1.3 have been rewritten for 1.4, with some of them being rewritten into plugins.  The new plugins system allows you to modify Coppermine without hacking the core scripts, so upgrades are very easy.

We remind you that the Coppermine 1.3 series will soon go *unsupported* and only security vulnerabilities will be addressed in this series.

Immediately patch your 1.3.x gallery using the usermgr.php file attached to this post.  Replace your current file with this new one.

Once again, please consider upgrading.  The dev team and all the supporters and contributors are working hard to make sure the latest Coppermine version is the greatest one and at the same time is completely comfortable for 1.3 users.  Test drive the current version in the demo and take the time to upgrade your 1.3.x gallery.
Logged

Don-Duracell

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 30
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #5 on: June 08, 2006, 09:43:06 pm »

Is it possible to create a mailing list to get the information directly and faster to the Users of the Gallery?
Logged
Live long and prosper...

Don-Duracell

FireMotion

  • Coppermine newbie
  • Offline Offline
  • Posts: 14
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #6 on: June 09, 2006, 09:17:54 am »

Is it possible to create a mailing list to get the information directly and faster to the Users of the Gallery?
There's already functionality for that.

If you have signed up at sourceforge.net, you can go to the project's files and monitor the package to be notified of any updates. You can't get the information any faster than that. :) Here's the url: http://sourceforge.net/project/showfiles.php?group_id=89658
Logged

Dead J. Dona

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 27
  • Yeppie-kaye, mazafaka (c) Bruce Willis
    • Æåíñêèé æóðíàë ÍÀÒÀËÈ
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #7 on: June 09, 2006, 01:33:21 pm »

is there possibility to use some diff from previous version like phpbb codechange?

don't want to download 3 Mb if I can download and replace one 5k file...
Logged
wbr, Me. Dead J. Dona

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #8 on: June 09, 2006, 01:36:07 pm »

no diff available
Logged

whmeeske

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 68
    • WHMEESKE.NL
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #9 on: June 10, 2006, 01:13:21 pm »

I have downloaded CPG1.4.8 from several mirrors of Sourceforge, but all off them are not valid zip-files, so I can't open them...
Is there another place where I can get a valid zip-file og CPG1.4.8?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #10 on: June 10, 2006, 01:26:25 pm »

Unable to replicate, works as expected for me (testing the mirrors Kent/UK, Belnet/Brussels/Belgium, SurfNet/Minneapolis/USA, Superb/McLean/USA, Switch/Lausanne/Switzerland) both in IE and FF.
Make sure to download the actual zip archive (extension name "zip") if you only have an archiver that is capable to de-compress zip archives; do not use the file with the extension "7z" unless you actually have the free archiver-software "7zip".
Logged

scooterdad

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #11 on: June 10, 2006, 09:42:39 pm »

Well I'm just glad that the folks there at Coppermine are taking care of such a great application and I hope that they can continue to elevate such application to higher standards.

Keep up the good work.

Raymond
Logged

innerflash

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 13
    • InnerFlash Design - Web and Graphic Design by Wallace Rodrigues
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #12 on: June 15, 2006, 03:47:56 pm »

Very unlucky, installed the cpg1.4.7 on the same day of the release, and have been industriously working on it ever since. The site ins't published yet, but it's going to be soon.

The last albums uploaded aren't enabled, and I never meant to use it, because it's only me who can create albums anyway. However I can't set permissions for album viewing in "Groups". Is that related?

And if I really need to upgrade, isn't there a way to overwrite/replace/do something with files and MySQL?

Please do PM me, if you think a reply isn't convenient here, or if you're going to delete this message.  ???

Thanks a lot.
Logged
Give me a hint and I might give you a clue...

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #13 on: June 15, 2006, 04:07:58 pm »

Your question about what to do to patch 1.4.7 is valid on this thread.  The other question about album permissions should go on the appropriate support board, but I recommend that you read the documentation before posting.

Yes, that's unlucky.  I apologize for that.  I guess if we had been slower in releasing 1.4.8, there would have been a lot more people in your situation.

In any case, the patch is very simple.  If you follow the bug report link above, the patch is in there.  Here is the exact post: http://forum.coppermine-gallery.net/index.php?topic=32337.msg150543#msg150543.  Do that, and you effectively have 1.4.8 (although the "versioncheck" tool won't know that of course).

I recommend using a "diff" tool to compare differences in the future.  With such a tool, you can upgrade and more easily apply your hacks to the new version.  You might even consider going whole-hog and using the Coppermine Subversion repository (click on the "Project" link above - the current release is the 'stable' branch).

Of course, the ideal case would be to keep all your mods to theme customizations, plugins, and add-ons . . .
Logged

innerflash

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 13
    • InnerFlash Design - Web and Graphic Design by Wallace Rodrigues
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #14 on: June 15, 2006, 04:49:17 pm »

Thanks again Paver.

Applied the patch and hope to find a solution for the album permission issue in the board. I thought the problem was related to the reported bug, but I'm hopeful there's a solution waiting for me somewhere in the forum.

The mods I made were only customizations on the admin level and theme, so I don't think I'll have to worry about the core. Thanks for the advices anyway.

Cheers  :D
Logged
Give me a hint and I might give you a clue...

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #15 on: July 07, 2006, 07:20:59 pm »

Spit off support request: http://forum.coppermine-gallery.net/index.php?topic=33614.0

Do *not* post support requests on this thread or on this board.
Logged

erika_conn

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 91
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #16 on: July 25, 2006, 11:28:29 pm »

I uploaded the latest program but I have run into a situation.  I'm getting error messages that read
Warning: fopen(): Unable to access sql/basic.sql in /home/cecon46/public_html/photo_gallery/install.php on line 453

Warning: fopen(sql/basic.sql): failed to open stream: Permission denied in /home/cecon46/public_html/photo_gallery/install.php on line 453

Welcome to Coppermine installation
• • • ERROR • • • 
The following errors were encountered and need to be corrected first:


--------------------------------------------------------------------------------

The file 'sql/basic.sql' could not be found. Check that you have uploaded all Coppermine files to your server

 
I did not get that file when I downloaded the program so what is a person to do?

Erika
Logged

Nibbler

  • Guest
Re: Maintenance release cpg1.4.8 fixes severe security issue
« Reply #17 on: July 25, 2006, 11:34:08 pm »

Do *not* post support requests on this thread or on this board.

Locking.
Logged
Pages: [1]   Go Up
 

Page created in 0.026 seconds with 20 queries.