More info on:
http://www.zenphoto.org/news/zenphoto-1.4.1.6
No, the 1.4.1.6 release (as noted on the post) just incorporates the changes mentioned on the 2nd security post. Otherwise it is just 1.4.1.5. Btw, that is mentioned in the release post's first sentence..;-)
Again, note that the svn trunk is NOT 1.4.1.6 but already 1.4.2 beta (the dev svn stream as well) as the 1.4.1.x line was actually considered complete. This has been announced a week or so ago.
A slightly different question: I have downloaded and installed the 1.4.3 DEV (8385) version and done the corrections you suggested in the "Security alert - Part 2 update 2". Am I OK?
P.S. One site was hacked, the other was not, but I cleaned and updated both anyways.
Yes, as far as we know. But I recommend to use the TRUNK svn as that wil become the next version 1.4.2. That is beta and will not get new features until the scheduled release (see roadmap on the bugtracker. Using this will help us find bugs we missed.
The DEV svn is for 1.4.3 somewhere in the future. Currently both are still the same but soon this one might get experimental. So we can't recommend to use this on a live site currently.
After being affected by this loophole and clearing out the old install when I come to upload (cPanel) the install package my hosts system is rejecting the 1.4.1.6.zip saying it contains a virus (scanner is probably ClamAV).
I can not get any details as to which file it objects to.
Has this been an issue for anyone else?
Maybe we are missing something here. Without the "ajax file manager" we cannot use the "Files" tab under "Upload".
Which seems to mean the only way to add photos is via the web page upload.
Is there some other way to get Zenphoto to process files we already have copied to the server? That has always been our preferred method to load pictures.
Any help is appreciated.