Important security patch released for Newscoop 4.0.x
  • This weekend our attention was drawn to a Newscoop vulnerability that affects all 4.0.x users. It is rated ‘critical’ and all users are recommended to patch immediately.

    The issue exposes potentially account-compromising database and user information during error reporting on front-end templates.

    Without the patch, when front-end controllers fail, errors are presented in the front-end templates via error_error.tpl front-end view, even if APPLICATION_ENV is set to production mode.

    This quick failsafe solution should be applied immediately.

    How To Fix

    Let’s assume your Newscoop directory is /var/www/newscoop. Here are the steps...

    1) Download the patch file 0001-CS-4543-Unnecessary-error-reporting-exposed-on-front.patch

    2) Make sure the current directory is /var/www/newscoop

    $ cd /var/www/newscoop

    3) Apply the patch (attached to this post, click on the icon below (looks like a piece of paper!))

    $ patch -p1 <

    The files to be patched are:


    All Sourcefabric customers are already protected and need to take no action.

    If you are unsure of how to apply this fix or whether you affected, please mail immediately.

    Thanks, Adam

    Post edited by Adam Thomas at 2013-01-23 05:51:45
  • 5 Comments sorted by
  • Hi, and thanks for the info.  But (I'm a n00b) download the patch from *where*?? You don't say.
    Have A Healthy, Prosperous Day!
    Have A Healthy, Prosperous Day!
  • Hi Robert,

    You should see what looks like a piece of paper at the bottom of the post above. That's our forum's odd way of saying 'there's a file attached to this post.' click that icon and the download should begin!

    I'll clarify this in the post!

    Best, A
  • Hello again, Adam. Thank you for taking the time. Got it !! (missed space at ' < ' ) after a couple of errors, but it seems OK w/no errors now. Will get down to business of learning (trying) this
    system right away. My biggest headaches have been with mysql/db configure, install/admin stuff.
    As I said, I'm not a coder, and *don't* wish to be. So far, every software I've tried depends heavily
    on the user to desire to learn to code/program/compile. IMHO this approach is short-sighted, and loses many, many content producers or would-be journalist. Why? Because it takes away from the person has already spent a lifetime doing: communicating in their native language; not computer code. I have ideas for implementation that I'm confident would help with this, but don't know any programmers to listen to me. We all forget that what we already know takes small, simple steps (take nothing for granted) when explaining or otherwise making available to the uninitiated. In any event, thank you so much for your time. It was a great help!!
    Have A Healthy, Prosperous Day!!
    Have A Healthy, Prosperous Day!
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    Hi Robert,

    If you have trouble downloading the patch, please try this direct link:

    The point you make about journalists and coders is a good one - if you have ideas, we're listening :-) Please end me or Adam a direct message, or start a new topic in the Newscoop forums.


  • Hi Robert,

    Sounds like you are describing #newsbeta, our initiative to get coders and non-coders working together on tools....

    Welcome to the community! :)

    Best, Adam