3.5.3 has been released and includes multiple non-critical security fixes. All previous versions of Ampache are affected. It is recommended that all users upgrade to 3.5.3 as soon as possible.
This release addresses a non-critical security issue due to unsafe creation of temporary files by a shell script included, but not used by the application. It also fixes a few other minor bugs and adds the ability to install Ampache without full rights on your database server (Hosted Solutions). Take a look at the changelog for complete details.
I’d also like to take this opportunity to welcome Momo-i as a new contributor to Ampache. Momo-i has just started, and already gotten a lot of work done on the translations and improved support for non-latin character sets.
This is hopefully, baring any more major bugs being found, the last release of the 3.3.x branch of Ampache. This release includes a few minor security fixes as well as a completely revamped LastFM scrobbling method. Current users of the LastFM plugin will have to upgrade their plugin by going to Admin -> Config -> Modules. This release also corrects some playback issues with Foobar and WMP. It also implements a stop-gap fix for Audacious 1.3.x’s sloppy stream type detection that results in a very large number of repetitive requests. 3.4-Alpha2 has a permanent fix for Audacious 1.3.x
3.4-Alpha2 is coming along, depending on work I hope to release it sometime this week. Alpha2 will include all major features from 3.3.x except Localplay,Democratic Play & XML-RPC.
In response to a few register global related security issues in other web applications a security audit was performed on Ampache. We found that with register globals on a user could gain guest level access to your Ampache instance. This release closes this security hole and corrects some other minor issues with the 3.3.2 release.
This exploit specifically allows them to bypass the session requirements for the standard Ampache pages, however their user will have an acess level of 0 (Guest has 5). They will not be able to stream, download or access any admin functions but they can browse your catalog. This only affects you if you have registered globals turned on. In general it is recommend that you turn off register globals off. If you do not have access to the servers php.ini you can disable register_globals by creating a .htaccess file in your ampache root with php_value register_globals off.
Due to a security flaw in the Snoopy class which allowed authenticated users to remotely execute code on the web server I’ve just released Alpha3 and 3.3.1.6. Please upgrade as soon as possible if you are using an earlier version. 3.3.1.5 still has the security flaw. Sorry for the inconvenience.
This security flaw pushed up the Alpha3 release and as such there will be an Alpha4 which will include a new interface. More information to come after December 10th.
