Maintenance release cpg1.4.12 (security issue) - upgrade mandatory Maintenance release cpg1.4.12 (security issue) - upgrade mandatory
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Maintenance release cpg1.4.12 (security issue) - upgrade mandatory

Started by Joachim Müller, July 02, 2007, 06:07:13 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Joachim Müller

Coppermine 1.4.12 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently discovered mySQL vulnerability that can lead to disclosure of sensitive information. It is important that all users who run version cpg1.4.10 or older update to this latest version as soon as possible.

To correct the security issue manually, you can apply a fix to include/functions.inc.php. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.11 as well.

To manually fix the vulnerability, edit include/functions.inc.php (using a plain-text editor), find            $aid_str = implode(",",array_keys($alb_pw));and replace with          foreach($alb_pw as $aid => $value) {
            $aid_str .= (int)$aid . ",";
          }

          $aid_str = substr($aid_str, 0, -1);


The following issues have been addressed in this release:
  • 2007-07-02 Release of cpg1.4.12 {GauGau}
  • 2007-07-02 Backported parts of the cpg1.5.x documentation for cpg1.4.x {GauGau}
  • 2007-07-02 Fixed double quotes for comment input fields (thread ID 40423) {GauGau}
  • 2007-07-02 Replaced string "CVS" with "SVN" to reflect the changed repository structure of the SF.net code repository {GauGau}
  • 2007-06-30 Fixed multiple password protected albums bug {Abbas}
  • 2007-06-28 Release of cpg1.4.11 {GauGau}
  • 2007-06-28 Fixed a vulnerability where SQL injection was possible with array indices of album password cookie {Abbas}
  • 2007-03-30 Renamed default cookie name to version-independant name to avoid confusion for beginners {GauGau}
  • 2007-03-26 Added German version of the FAQ (user contribution, work in progress) {GauGau}
  • 2007-01-29 Correcting links {Nibbler}
  • 2007-01-24 Added Lithuanian translation (user contribution) {GauGau}
  • 2007-01-15 Added Arabic translation (user contribution) {GauGau}
  • 2007-01-14 Fixed situation in plugin api that caused bizarre plugin behavior when plugins called underlying plugin api hooks {Donnoman}
  • 2007-01-08 Fixed the vulnerability mentioned in topic 39943, though only admins could have exploited that. {Abbas}
  • 2006-12-28 Fixed garbage collection deleting special file "no_FTP-uploads_into_this_folder!" inside edit folder {GauGau}
  • 2006-12-28 Fixed bug in search by keyword {GauGau}
  • 2006-12-27 Updated copyright date {GauGau}
  • 2006-12-27 Small fix in background image of sub menu for project_vii {GauGau}
  • 2006-12-27 Updated zipdownload with more recent library to enable zip downloads for mac users {GauGau}
  • 2006-12-13 Fixed visibility of upload link for users disallowed public uploads, but allowed personal galleries {GauGau}
  • 2006-12-11 Replaced HTML entities with actual characters in Danish language file {GauGau}
  • 2006-12-06 Avoid attempting to send emails to admins who have no email address in profile. {Nibbler}
  • 2006-11-28 Added Hindi language file (user contribution) {GauGau}
  • 2006-11-27 Fixing redirect to file after new upload while bridged. {Nibbler}
  • 2006-11-17 Updated code in FAQ entry {Nibbler}
  • 2006-11-12 Fixed plugin api sleep and wake actions to be scoped correctly. {Donnoman}
  • 2006-11-09 Fixed display of hit stats link on displayimage {Nibbler}
  • 2006-11-09 Added Thai language (user contribution) {GauGau}

To update any version of Coppermine to version 1.4.12, download the latest version from the download page and follow the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

Why was cpg1.4.12 released only three days after the release of cpg1.4.11?
The security issue discussed in this thread has been fixed in cpg1.4.11 as well, that's why cpg1.4.11 was released on 2007-06-29. However, the fix that went into cpg1.4.11 had a minor bug (a missing dot). We apologize for any inconvinience that this slight error may have caused. Subsequently, cpg1.4.11 solves the security issue just as well as cpg1.4.12. The only difference is cosmetical - users who have applied cpg1.4.11 already will hardly notice the difference between cpg1.4.11 and cpg1.4.12 - there's no real reason for them to go through the upgrade process again. However: all users who run older versions than cpg1.4.11 need to upgrade to cpg1.4.12 no matter what.

Joachim Müller (aka GauGau)
- Coppermine project manager -