Print Page - cpg1.5.32 Security release

Title: cpg1.5.32 Security release - upgrade mandatory!
Post by: Αndré on October 07, 2014, 11:11:01 AM

The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.30 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.5.32 should update immediately by downloading (https://sourceforge.net/projects/coppermine/files/Coppermine/1.5.x/cpg1.5.32.zip/download) the latest version from the download page (http://sourceforge.net/project/showfiles.php?group_id=89658) and following the upgrade steps in the documentation (http://documentation.coppermine-gallery.net/en/upgrading.htm).

Support:
If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=90.0). Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.5.32 released?
The release covers a recently discovered XSS vulnerability that allows (if unpatched) a malevolent visitor to include own script routines under certain conditions.

Additionally, cpg1.5.32 includes fixes for the following non-security related issues:

Updated Czech language file (user contribution)
Fixed displaying wrong image issue (thread (http://forum.coppermine-gallery.net/index.php/topic,77705.0.html))
Fixed issue with user gallery pagination (thread (http://forum.coppermine-gallery.net/index.php/topic,77790.0.html))
Added hidden feature to hide already existing files on batch-add interface (thread (http://forum.coppermine-gallery.net/index.php/topic,77671.0.html))
Fixed pre-selection of files for Windows driven systems on batch-add interface (thread (http://forum.coppermine-gallery.net/index.php/topic,77834.0.html))
Fixed several issues with file path names on batch-add (thread (http://forum.coppermine-gallery.net/index.php/topic,77820.0.html), thread (http://forum.coppermine-gallery.net/index.php/topic,77823.0.html))
Added hidden feature to display only empty albums on batch-add (thread (http://forum.coppermine-gallery.net/index.php/topic,77824.0.html))
Fixed comment form submit for Android browser

Thanks to chipviled (http://forum.coppermine-gallery.net/index.php?action=profile;u=169315) for discovering the vulnerability.

The Coppermine Team

Title: Re: cpg1.5.32 Security release - upgrade mandatory!
Post by: Αndré on October 07, 2014, 01:48:15 PM

Users running PHP 4, please read this (http://forum.coppermine-gallery.net/index.php/topic,76999.0.html).

Title: Re: cpg1.5.32 Security release - upgrade mandatory!
Post by: theqe2story on October 12, 2014, 03:26:50 PM

Upgrade went smoothly, thanks very much, keep up the good work!

Title: Re: cpg1.5.32 Security release - upgrade mandatory!
Post by: pols1337 on October 14, 2014, 04:44:55 AM

Thanks for the continued dedication and development 8)

coppermine-gallery.com/forum

No Support => Announcements => Topic started by: Αndré on October 07, 2014, 11:11:01 AM