===================================================================== CERT-Renater Note d'Information No. 2006/VULN306 _____________________________________________________________________ DATE : 07/06/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Coppermine Photo Gallery. ====================================================================== http://coppermine-gallery.net/forum/index.php?topic=32333.0 ______________________________________________________________________ The Coppermine dev team announces the release of cpg1.4.7. The new release does not contain additional new features (compared to previous versions of cpg1.4.x), but contains fixes for several minor issues. The reason for the release of this package is the discovery of a bug in previous Coppermine versions. All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder). It's mandatory to upgrade any previous versions, as the impact of the vulnerability that led to the release of cpg1.4.7 is high! So far there have been no reports of an exploit of the vulnerability, so the Coppermine dev team decided not to post instructions for a manual fix to prevent wannabe-hackers from getting an idea how to create an exploit. This will of course not prevent a determined, skilled person to come up with a hack, so you better upgrade now. The new package contains all language files that existed up till now. Get the new release cpg1.4.7 here: http://prdownloads.sourceforge.net/coppermine/cpg1.4.7.zip?download For those who are reluctant to spend the time & effort to upgrade heavily-modded galleries, you still *must* address this serious vulnerability. A sufficient fix for this vulnerability would be to download the 1.4.7 package or use the copy of usermgr.php that is attached to this thread and replace your usermgr.php with the new one. For the future, please consider keeping track of your mods so you can properly upgrade to newer versions. And consider using or creating plugins for mods as they do not modify the core scripts. The maintenance release cpg1.4.7 of course contains all previous fixes of the 1.4.x-series as well as several minor issues that have been reported on the bugs board. Please review the changelog that comes with the package for details. Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice. If you have issues with upgrading your coppermine install, post on the cpg1.4.x upgrading sub-board (after having read the docs and after having searched the board). Joachim Mueller - Coppermine project manager - ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================