The Chevereto "pi" (3.14) must-have update

[Rodolfo]

Few weeks ago I released 3.14.0 and shortly after that 3.14.1 and while the release is known for adding support for WebP and APNG, it was created almost exclusively to address important security issues present in the software that were reported in Nov-Dec 2019 by Jinny Ramsmark (thank you!). You can get access to the report in this blog entry.

It is my responsibility to remark how important it is for you to install the update as any installation running < 3.14 is vulnerable to all the attacks reported. To avoid any potential security issue, data breach or anything worse, do please consider updating as soon as possible.

The instructions for update are available here: https://chevereto.com/docs/update-guide (if your installation is unable to connect to our server try the manual procedure).

I understand that some installations aren't working properly under 3.14 which is in part because this release highly increased the standard:

1. The real connecting IP is not longer determined using HTTP headers and it now relies in the appropriate server module.
   ^ If your installation doesn't show the real IP it means that you are using CloudFlare (or any reverse proxy) and your server needs to report the real IP.
2. Cookies now require same-site, http-only and secure.
   ^ Proxied servers or badly configured SSL could cause interruption of the login system due to the lack of set cookie headers.
3. White-page issues
   ^ When display_errors is disabled is very likely that upon any error the website will show a white-page. Don't panic and get the actual error from your error_log and open a ticket. You could also try with debug.

I'm sorry for the inconveniences this may cause and as always, I'm available for all your technical concerns via this community or Discord.

Cheers,
Rodolfo.