Maintenance release cpg1.4.8 fixes severe security issue Maintenance release cpg1.4.8 fixes severe security issue
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Maintenance release cpg1.4.8 fixes severe security issue

Started by Joachim Müller, June 08, 2006, 01:48:31 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Joachim Müller

The Coppermine dev team announces the release of cpg1.4.8.

Coppermine 1.4.8 is different from yesterday's release of 1.4.7 by only one fix.  Coppermine 1.4.7 included a bug fix that was unfortunately not tested thoroughly and caused a serious stability issue for those who use the "Last Updated Albums" feature in Coppermine.  See the bug report here.  If you installed Coppermine 1.4.7, please upgrade to 1.4.8 immediately even if you don't use the "Last Updated Albums" feature because you might in the future.

This one fix is the *only* difference between 1.4.8 and 1.4.7.

The rest of this announcement refers to fixes added in 1.4.7, including the mandatory fix for the security vulnerability.

The new release does not contain additional new features (compared to previous versions of cpg1.4.x), but contains fixes for several minor issues. The reason for the release of this package is the discovery of a bug in previous Coppermine versions. All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder).
It's mandatory to upgrade any previous versions, as the impact of the vulnerability that led to this new release is high!

So far there have been no reports of an exploit of the vulnerability, so the Coppermine dev team decided not to post instructions for a manual fix to prevent wannabe-hackers from getting an idea how to create an exploit. This will of course not prevent a determined, skilled person to come up with a hack, so you better upgrade now.

The new package contains all language files that existed up till now.

Get the new release cpg1.4.8 here: http://prdownloads.sourceforge.net/coppermine/cpg1.4.8.zip?download

For those who are reluctant to spend the time & effort to upgrade heavily-modded galleries, you still *must* address this serious vulnerability.  A sufficient fix for this vulnerability would be to download the 1.4.8 package or use the copy of usermgr.php that is attached to this thread and replace your usermgr.php with the new one. For the future, please consider keeping track of your mods so you can properly upgrade to newer versions.  And consider using or creating plugins for mods as they do not modify the core scripts.

The maintenance release cpg1.4.8 of course contains all previous fixes of the 1.4.x-series as well as several minor issues that have been reported on the bugs board. Please review the changelog that comes with the package for details.

Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice.
If you have issues with upgrading your coppermine install, post on the cpg1.4.x upgrading sub-board (after having read the docs and after having searched the board).

Joachim Mueller
- Coppermine project manager -

adrianbj

Thanks for the additional update, but i think you forgot to attach the new 1.4.8 version of usermgr.php

Adrian

PS The download link you posted is not working either

adrianbj

Here is usermgr.php version 1.4.8

edit (by Paver): Thanks for the assistance.  I have added the file above, so have deleted yours here.

Paver

It takes a little time for Sourceforge to propagate the file to the various mirrors.  Try different ones or try later.

Paver

For those running 1.3.x galleries, you are strongly recommended to upgrade to 1.4.8.  The documentation clearly describes the upgrade from 1.3.x to 1.4.8 (link), including converting any custom 1.3 themes to the improved 1.4 theme system.  Most of the popular themes have already been converted and are browseable in the demo.  Many of the mods for 1.3 have been rewritten for 1.4, with some of them being rewritten into plugins.  The new plugins system allows you to modify Coppermine without hacking the core scripts, so upgrades are very easy.

We remind you that the Coppermine 1.3 series will soon go *unsupported* and only security vulnerabilities will be addressed in this series.

Immediately patch your 1.3.x gallery using the usermgr.php file attached to this post.  Replace your current file with this new one.

Once again, please consider upgrading.  The dev team and all the supporters and contributors are working hard to make sure the latest Coppermine version is the greatest one and at the same time is completely comfortable for 1.3 users.  Test drive the current version in the demo and take the time to upgrade your 1.3.x gallery.

Don-Duracell

Is it possible to create a mailing list to get the information directly and faster to the Users of the Gallery?
Live long and prosper...

Don-Duracell

FireMotion

Quote from: Don-Duracell on June 08, 2006, 09:43:06 PM
Is it possible to create a mailing list to get the information directly and faster to the Users of the Gallery?
There's already functionality for that.

If you have signed up at sourceforge.net, you can go to the project's files and monitor the package to be notified of any updates. You can't get the information any faster than that. :) Here's the url: http://sourceforge.net/project/showfiles.php?group_id=89658

Dead J. Dona

is there possibility to use some diff from previous version like phpbb codechange?

don't want to download 3 Mb if I can download and replace one 5k file...
wbr, Me. Dead J. Dona

Joachim Müller


whmeeske

I have downloaded CPG1.4.8 from several mirrors of Sourceforge, but all off them are not valid zip-files, so I can't open them...
Is there another place where I can get a valid zip-file og CPG1.4.8?

Joachim Müller

Unable to replicate, works as expected for me (testing the mirrors Kent/UK, Belnet/Brussels/Belgium, SurfNet/Minneapolis/USA, Superb/McLean/USA, Switch/Lausanne/Switzerland) both in IE and FF.
Make sure to download the actual zip archive (extension name "zip") if you only have an archiver that is capable to de-compress zip archives; do not use the file with the extension "7z" unless you actually have the free archiver-software "7zip".

scooterdad

Well I'm just glad that the folks there at Coppermine are taking care of such a great application and I hope that they can continue to elevate such application to higher standards.

Keep up the good work.

Raymond

innerflash

Very unlucky, installed the cpg1.4.7 on the same day of the release, and have been industriously working on it ever since. The site ins't published yet, but it's going to be soon.

The last albums uploaded aren't enabled, and I never meant to use it, because it's only me who can create albums anyway. However I can't set permissions for album viewing in "Groups". Is that related?

And if I really need to upgrade, isn't there a way to overwrite/replace/do something with files and MySQL?

Please do PM me, if you think a reply isn't convenient here, or if you're going to delete this message.  ???

Thanks a lot.
Give me a hint and I might give you a clue...

Paver

Your question about what to do to patch 1.4.7 is valid on this thread.  The other question about album permissions should go on the appropriate support board, but I recommend that you read the documentation before posting.

Yes, that's unlucky.  I apologize for that.  I guess if we had been slower in releasing 1.4.8, there would have been a lot more people in your situation.

In any case, the patch is very simple.  If you follow the bug report link above, the patch is in there.  Here is the exact post: http://forum.coppermine-gallery.net/index.php?topic=32337.msg150543#msg150543.  Do that, and you effectively have 1.4.8 (although the "versioncheck" tool won't know that of course).

I recommend using a "diff" tool to compare differences in the future.  With such a tool, you can upgrade and more easily apply your hacks to the new version.  You might even consider going whole-hog and using the Coppermine Subversion repository (click on the "Project" link above - the current release is the 'stable' branch).

Of course, the ideal case would be to keep all your mods to theme customizations, plugins, and add-ons . . .

innerflash

Thanks again Paver.

Applied the patch and hope to find a solution for the album permission issue in the board. I thought the problem was related to the reported bug, but I'm hopeful there's a solution waiting for me somewhere in the forum.

The mods I made were only customizations on the admin level and theme, so I don't think I'll have to worry about the core. Thanks for the advices anyway.

Cheers  :D
Give me a hint and I might give you a clue...

Paver

Spit off support request: http://forum.coppermine-gallery.net/index.php?topic=33614.0

Do *not* post support requests on this thread or on this board.

erika_conn

I uploaded the latest program but I have run into a situation.  I'm getting error messages that read
Warning: fopen(): Unable to access sql/basic.sql in /home/cecon46/public_html/photo_gallery/install.php on line 453

Warning: fopen(sql/basic.sql): failed to open stream: Permission denied in /home/cecon46/public_html/photo_gallery/install.php on line 453

Welcome to Coppermine installation
• • • ERROR • • • 
The following errors were encountered and need to be corrected first:


--------------------------------------------------------------------------------

The file 'sql/basic.sql' could not be found. Check that you have uploaded all Coppermine files to your server


I did not get that file when I downloaded the program so what is a person to do?

Erika

Nibbler

Do *not* post support requests on this thread or on this board.

Locking.