The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.26 or older update to this latest version as soon as possible.
How to update:
Users running versions prior to 1.5.28 should update immediately by downloading (https://sourceforge.net/projects/coppermine/files/Coppermine/1.5.x/cpg1.5.28.zip/download) the latest version from the download page (http://sourceforge.net/project/showfiles.php?group_id=89658) and following the upgrade steps in the documentation (http://documentation.coppermine-gallery.net/en/upgrading.htm).
Support:
If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=90.0). Do not post your issues to this announcement thread - your post will be deleted without notice.
Why was cpg1.5.28 released?The release covers a recently discovered XSS vulnerability that allows (if unpatched) a malevolent visitor to include own script routines under certain conditions.
Additionally, cpg1.5.28 includes fixes for the following non-security related issues:
- Fixed misleading template error message
- Fixed display of keywords with special characters (thread (http://forum.coppermine-gallery.net/index.php/topic,76830.0.html))
- Removed duplicate page header if error occurs when deleting an album
- Added hidden feature to regard upload time of linked files in album info (thread (http://forum.coppermine-gallery.net/index.php/topic,77021.0.html))
- Fixed reference to documentation in config
- Fixed various documentation glitches
- Optimized main page code to reduce database query count
- Fixed album and file count if category contains private albums
- Updated known issues page
- Fixed album and file count if category contains currently not displayed sub-categories (thread (http://forum.coppermine-gallery.net/index.php/topic,60827.0.html), thread (http://forum.coppermine-gallery.net/index.php/topic,76914.0.html))
- Moved config options "Horizontal/vertical padding for full-size pop-up", "Albums can be private" and "Show private album icon to unlogged user" to other groups
- Don't redirect to registration form after login (thread (http://forum.coppermine-gallery.net/index.php/topic,77140.0.html))
- Added possibility to use pictures linked to albums via album keyword as category thumbnail (thread (http://forum.coppermine-gallery.net/index.php/topic,77008.0.html))
- Fixed function 'starttable' in theme 'curve' to make fully compatible with plugin hook 'search_form'
- Replaced some jQuery code with plain JavaScript code to make admin tools compatible with later jQuery versions, in case users want to upgrade (thread (http://forum.coppermine-gallery.net/index.php/topic,76858.0.html))
- Updated Catalan language file (user contribution)
- Added plugin hook 'theme_thumbnails_header'
- Added plugin hooks 'comment_update', 'comment_add' and 'comment_approve' (thread (http://forum.coppermine-gallery.net/index.php/topic,60896.0.html))
- Increased character limit to allow recently released top level domains (thread (http://forum.coppermine-gallery.net/index.php/topic,77183.0.html))
- Added function 'theme_album_info' to make information which is displayed next to each album themeable
- Fixed several issues with keywords manager
- Fixed utilization of CSS class 'middlethumb' on film strip (thread (http://forum.coppermine-gallery.net/index.php/topic,77353.0.html))
- Updated packaging docs
The Coppermine Team
Users running PHP 4, please read this (http://forum.coppermine-gallery.net/index.php/topic,76999.0.html).