No Support > Announcements

cpg1.5.44 Security release - upgrade mandatory!


The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.42 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.5.44 should update immediately by downloading the latest version from the download page and following the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.5.44 released?
The release covers a recently discovered SQL injection vulnerability that allows (if unpatched) a malevolent visitor to include own script routines under certain conditions. Furthermore, a possible arbitrary shell command execution has been fixed.

Additionally, cpg1.5.44 includes fixes for the following non-security related issues:

* Fixed zip upload of plugins for 64 bit PHP (thread, thread)
* Updated link in credits page (thread)
* Added new options to hidden feature "sort order of albums" (thread)
* Replaced hard-coded number "10000" with constant "FIRST_USER_CAT" (thread, thread)Thanks to Hendrik Buchwald and his team at RIPS Tech for discovering the vulnerabilities.

The Coppermine Team

Users running PHP 4, please read this.

Dear all,

It's been a long time since I checked on the Coppermine project, but I wanted to wish you all happy holidays and the very best as you keep this worthwhile project alive for so many users.  :)


[0] Message Index

Go to full version