Print Page - cpg1.5.36 Security release

Title: cpg1.5.36 Security release - upgrade mandatory!
Post by: Αndré on May 07, 2015, 12:12:44 PM

The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.34 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.5.36 should update immediately by downloading (https://sourceforge.net/projects/coppermine/files/Coppermine/1.5.x/cpg1.5.36.zip/download) the latest version from the download page (http://sourceforge.net/project/showfiles.php?group_id=89658) and following the upgrade steps in the documentation (http://documentation.coppermine-gallery.net/en/upgrading.htm).

Support:
If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=90.0). Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.5.36 released?
The release covers a recently discovered XSS vulnerability that allows (if unpatched) a malevolent visitor to include own script routines under certain conditions. Furthermore, an open redirect issue and a directory enumeration issue have been fixed.

Additionally, cpg1.5.36 includes fixes for the following non-security related issues:

Strip whitespace from imported IPTC title and caption (thread (http://forum.coppermine-gallery.net/index.php/topic,77981.0.html))
Fixed icon when deleting picture from an album (thread (http://forum.coppermine-gallery.net/index.php/topic,78036.0.html))
Made phpBB 3 bridge compatible with phpBB version 3.1.x (thread (http://forum.coppermine-gallery.net/index.php/topic,78055.0.html))
Updated Italian language file (thread (http://forum.coppermine-gallery.net/index.php/topic,78101.0.html))
Fixed database error for non-existing files (thread (http://forum.coppermine-gallery.net/index.php/topic,78067.0.html))
Fixed typo in French docs (thread (http://forum.coppermine-gallery.net/index.php/topic,78188.0.html))

Thanks to Mahendra (http://forum.coppermine-gallery.net/index.php?action=profile;u=171083) for discovering the vulnerability.

The Coppermine Team

Title: Re: cpg1.5.36 Security release - upgrade mandatory!
Post by: Αndré on May 07, 2015, 01:45:59 PM

Users running PHP 4, please read this (http://forum.coppermine-gallery.net/index.php/topic,76999.0.html).

Title: Re: cpg1.5.36 Security release - upgrade mandatory!
Post by: phill104 on May 07, 2015, 01:58:17 PM

Thank you Andre (http://forum.coppermine-gallery.net/index.php?action=profile;u=24278) for all your hard work in fixing this when you are so busy. Also big thanks to gmc (http://forum.coppermine-gallery.net/index.php?action=profile;u=27045) for help in testing and code suggestions.

Title: Re: cpg1.5.36 Security release - upgrade mandatory!
Post by: jflash on May 07, 2015, 02:31:29 PM

Good work!

Title: Re: cpg1.5.36 Security release - upgrade mandatory!
Post by: zeroresearch on May 08, 2015, 03:50:03 PM

Great job guys!

Thanks for the quick response from greg too.

cheerrs

coppermine-gallery.com/forum

No Support => Announcements => Topic started by: Αndré on May 07, 2015, 12:12:44 PM