234137 CVE-2008-3600 2008-08-06 22:30 0000 www-apps/gallery <1.5.8 Multiple vulnerabilities (CVE-2008-3600) 2008-11-10 17:54:41 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/31367/ B3? [glsa] P2 minor --- 1 rbu@gentoo.org security@gentoo.org rbu@gentoo.org 2008-08-06 22:30:11 0000 Secunia writes: Some vulnerabilities have been reported in Gallery, which can be exploited by malicious users to disclose sensitive information, bypass certain security restrictions, and manipulate data, and by malicious people to conduct cross-site scripting attacks. 1) An unspecified error can be exploited by malicious users to disclose potentially sensitive information. 2) Various components do not properly enforce role based access controls. This can be exploited to bypass access restrictions and e.g. perform sensitive actions. 3) Various components expose certain functionality which can be exploited to list directories and e.g. read and delete files or write to existing files. 4) Certain input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 5) Some vulnerabilities are caused due to "Insecure Command Execution" when e.g. processing archives or watermarks. The vulnerabilities are reported in versions prior to 1.5.8. SOLUTION: Update to version 1.5.8 PROVIDED AND/OR DISCOVERED BY: The vendor credits Digital Security Research Group and Gotham Digital Science. ORIGINAL ADVISORY: http://gallery.menalto.com/gallery_1.5.8_released wrobel@gentoo.org 2008-09-07 20:41:53 0000 Removed gallery-1.5.3, 1.5.7, added 1.5.8. Targets: alpha amd64 hppa ppc sparc x86 rbu@gentoo.org 2008-09-08 14:46:09 0000 Arches, please test and mark stable: =www-apps/gallery-1.5.8 Target keywords : "alpha amd64 hppa ppc sparc x86" fmccor@gentoo.org 2008-09-08 14:57:28 0000 Is -1.5.8 preferred over -2.2.5 which is already stable on everything? rbu@gentoo.org 2008-09-08 16:01:50 0000 gallery 1.X and 2.X are maintained independently, and our (previous stable) 1.5.3 ebuild has been removed. If web-apps decides to maintain 1.X (as does upstream), we need to mark the 1.5.8 version stable. fmccor@gentoo.org 2008-09-08 16:36:55 0000 Seems strange, but OK. Sparc stable. armin76@gentoo.org 2008-09-09 13:39:07 0000 alpha/x86 stable jer@gentoo.org 2008-09-09 23:21:26 0000 >>> Install gallery-1.5.8 into /mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/image/ category www-apps dodoc: AUTHORS does not exist dodoc: ChangeLog does not exist dodoc: ChangeLog.archive does not exist dodoc: README does not exist cp: cannot stat `./gallery-1.5.8/gallery': No such file or directory install: cannot stat `/mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/temp/gallery': No such file or directory * (info) /keeps/gentoo/portage/www-apps/gallery/files/postinstall-en.txt (lang: en) >>> Completed installing gallery-1.5.8 into /mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/image/ That doesn't seem right... jer@gentoo.org 2008-09-10 00:35:47 0000 Stable for HPPA. maekke@gentoo.org 2008-09-11 20:12:44 0000 @web-apps: please fix the thingie in comment #7, so ugly =) amd64 stable wrobel@gentoo.org 2008-09-15 12:12:43 0000 Fixed the installation errors in CVS. dertobi123@gentoo.org 2008-09-19 18:50:18 0000 ppc stable py@gentoo.org 2008-09-19 19:56:45 0000 time for GLSA decision, I vote YES. keytoaster@gentoo.org 2008-09-22 12:42:57 0000 YES too, request filed. wrobel@gentoo.org 2008-09-29 06:20:02 0000 Hrm, removed stable version before we stabilized this one. My mistake. Anyhow, the new version got stabilizied pretty fast and nobody complained so I guess it was okay. webapps done. keytoaster@gentoo.org 2008-11-10 17:54:41 0000 GLSA 200811-02, thanks everyone, sorry about the delay.