Maintenance release cpg1.4.7 - upgrade mandatory! Maintenance release cpg1.4.7 - upgrade mandatory!
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Maintenance release cpg1.4.7 - upgrade mandatory!

Started by Joachim Müller, June 06, 2006, 06:45:07 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Joachim Müller

The Coppermine dev team announces the release of cpg1.4.7.
The new release does not contain additional new features (compared to previous versions of cpg1.4.x), but contains fixes for several minor issues. The reason for the release of this package is the discovery of a bug in previous Coppermine versions. All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder).
It's mandatory to upgrade any previous versions, as the impact of the vulnerability that led to the release of cpg1.4.7 is high!

So far there have been no reports of an exploit of the vulnerability, so the Coppermine dev team decided not to post instructions for a manual fix to prevent wannabe-hackers from getting an idea how to create an exploit. This will of course not prevent a determined, skilled person to come up with a hack, so you better upgrade now.

The new package contains all language files that existed up till now.

Get the new release cpg1.4.7 here: http://prdownloads.sourceforge.net/coppermine/cpg1.4.7.zip?download

For those who are reluctant to spend the time & effort to upgrade heavily-modded galleries, you still *must* address this serious vulnerability.  A sufficient fix for this vulnerability would be to download the 1.4.7 package or use the copy of usermgr.php that is attached to this thread and replace your usermgr.php with the new one. For the future, please consider keeping track of your mods so you can properly upgrade to newer versions.  And consider using or creating plugins for mods as they do not modify the core scripts.

The maintenance release cpg1.4.7 of course contains all previous fixes of the 1.4.x-series as well as several minor issues that have been reported on the bugs board. Please review the changelog that comes with the package for details.

Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice.
If you have issues with upgrading your coppermine install, post on the cpg1.4.x upgrading sub-board (after having read the docs and after having searched the board).

Joachim Mueller
- Coppermine project manager -

Paver

#1
For those running 1.3.x galleries, you are strongly recommended to upgrade to 1.4.7.  The documentation clearly describes the upgrade from 1.3.x to 1.4.7 (link), including converting any custom 1.3 themes to the improved 1.4 theme system.  Most of the popular themes have already been converted and are browseable in the demo.  Many of the mods for 1.3 have been rewritten for 1.4, with some of them being rewritten into plugins.  The new plugins system allows you to modify Coppermine without hacking the core scripts, so upgrades are very easy.

We remind you that the Coppermine 1.3 series will soon go *unsupported* and only security vulnerabilities will be addressed in this series.

Immediately patch your 1.3.x gallery using the usermgr.php file attached to this post.  Replace your current file with this new one.

Once again, please consider upgrading.  The dev team and all the supporters and contributors are working hard to make sure the latest Coppermine version is the greatest one and at the same time is completely comfortable for 1.3 users.  Test drive the current version in the demo and take the time to upgrade your 1.3.x gallery.

extrabigmehdi

Hi
1) why it is not announced on official coppermine homepage ?
2) no patch for upgrade ? I mean I have to redownload everything ?

Paver

(1) The news item on the main page is posted when it's posted, usually within 12 hours or so.
(2) If you read the announcement thread carefully, you'll see that it tells you how to patch the main security threat.  The other minor bugs will not be fixed unless you download the whole package and do a proper upgrade.

Joachim Müller

Quote from: extrabigmehdi on June 07, 2006, 03:36:10 AM
1) why it is not announced on official coppermine homepage ?
I'm a human - I have a live, a family, a job and not always FTP-access from everywhere. A news item on the home page will be posted as soon as I have the time to do so. ::)

Paver

#5
For those who use the 'lastalb' or "Last Updated Albums" meta-album and MySQL 4.1+, you may be subject to a serious stability problem in Coppermine 1.4.7.

Please see this thread.

It is still mandatory to upgrade to fix the security hole, but you also need to address this stability issue.  You can  apply the manual fix listed in the thread above or replace your include/functions.inc.php with the file attached to this post.

I apologize for this problem, as it was completely my fault.  I wish I could chalk it up to a rookie mistake, but I should have known better.  Please do not let this reflect on your image of Coppermine as a whole.  It was my mistake, and I ignored one of the dev team's rules to only put new features into the development branch.  I should have realized that trying a new type of query was such a new feature.  I instead merely looked at it as a bug fix.

Note: This attached file is *only* meant for those who installed or upgraded to the complete 1.4.7 package.  You do *not* need this file if you merely applied the hotfix of replacing usermgr.php.

L200man

Tried just uploading the 'two file' fix - screwed my gallery  >:(

L200man

Paver

L200man: Please post on the cpg1.4 upgrading board with details of your upgrade. 

The first file (usermgr.php) is meant for those who are running 1.4.x with no mods in usermgr.php.

The second file (includes/functions.inc.php) is meant for those who installed 1.4.7 completely.  You don't need the second file if you only replaced usermgr.php.

Paver

This release has been rendered invalid by the release of 1.4.8.

Please go to this thread: http://forum.coppermine-gallery.net/index.php?topic=32413.0