cpg1.4.20 Security release - upgrade mandatory! cpg1.4.20 Security release - upgrade mandatory!
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

cpg1.4.20 Security release - upgrade mandatory!

Started by Joachim Müller, February 04, 2009, 09:18:19 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Joachim Müller

The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.4.19 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.4.20 should update immediately by downloading the latest version from the download page page and follow the upgrade steps in the documentation.

Support:
If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

Why was cpg1.4.20 released?
The release covers a recently discovered vulnerability that allows (if unpatched) the uploading and execution of remote code (milw0rm exploit 7909). Additionally, these non-security related issues have been fixed:
  • Updated XMB bridge file to work with recent versions of that application (user contribution, thread ID 57550)
  • Update names associated with pictures and comments when user name is changed
  • Fixed issue involving display of name field in the report to admin form
  • Added missing translation to German language files (thread ID 56204)
  • Re-did the credits section of the language files for easier future integration into cpg1.5.x
  • Removed double ; at line ends (thread ID 51899)
  • Fixed validation issue with registration screen (thread ID 51310)
  • Added error message if pic editor is being run with missing parameters or without authorization (thread ID 54414)
  • Fixed error message in ecard.php that complained about wrong recipient email although sender email is wrong (thread ID 50844)
  • Fixed minor smilies issue (thread ID 52804)
  • Fixed upload permission issue for bridged galleries (thread ID 50798)
  • Improved improper translation (thread ID 50460)
  • Corrected SMF2 anonymous user fix
  • Reduced memory usage of keyword manager
  • Added Croation language file (user contribution)
  • Fixing thumbnail dimension calculation rounding error

Big thanks go to Michael Brooks and str0ke at milw0rm who discovered the vulnerability and Aditya for coming up with the fix.

Thanks,
The Coppermine Team

Pascal YAP