Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 124614
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Andreas Vinsander <andreas@vinsander.se>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
gallery-2.0.3.ebuild Possible 2.0.3 ebuild? application/octet-stream donald webster 2006-03-02 23:40 0000 1.09 KB Details
gallery-2.0.3.ebuild faster, harder, better, stronger! application/octet-stream donald webster 2006-03-02 23:48 0000 1.13 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 124614 depends on: 125830 Show dependency tree
Bug 124614 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-03-02 02:26 0000 
Just got a mail from the gallery-announce list:

Gallery 2.0.3 is now available for download. This release adds no new features.
It fixes a minor XSS exploit and an exploit in the session code that could
allow users to remotely delete session files. These security flaws were
discovered during an independent audit by James Bercegay from GulfTech Security
Research who reported them to us and worked with us to provide an appropriate
solution. There are no known exploits of these flaws in the wild. However we
strongly recommend that you upgrade to version 2.0.3 as soon as possible.
Please follow our upgrading instructions and download and install the latest
release.

Upgrading is quick and easy and will help you ensure the security of your
system.  Visit http://gallery.menalto.com/gallery_2.0.3_released for more
details.

Patch Files:
http://codex.gallery2.org/index.php/Gallery2:Download#Upgrades

Instructions:
http://codex.gallery2.org/index.php/Gallery2:Upgrading_to_2.0.x

If you have any questions, please ask in the Gallery 2 forums:
http://gallery.menalto.com/forum/62

regards,
The Gallery Team

------- Comment #1 From donald webster 2006-03-02 23:40:15 0000 ------- 
Created an attachment (id=81178) [details]
Possible 2.0.3 ebuild?

I commented out the ffmpeg patch, because I didn't wasn't 100% sure if it
needed to be applied.

------- Comment #2 From donald webster 2006-03-02 23:48:54 0000 ------- 
Created an attachment (id=81179) [details]
faster, harder, better, stronger!

I've uncommented the patch line after looking at the 2.0.3 source and finding
the elderly "singlejpeg" line.

------- Comment #3 From Thierry Carrez (RETIRED) 2006-03-03 10:12:46 0000 ------- 
Updating status, web-apps please bump

------- Comment #4 From Renat Lumpau 2006-03-05 16:53:21 0000 ------- 
bumped

------- Comment #5 From Thierry Carrez (RETIRED) 2006-03-06 09:30:26 0000 ------- 
Arches please test and mark 2.0.3 stable

------- Comment #6 From Gustavo Zacarias (RETIRED) 2006-03-06 09:57:42 0000 ------- 
sparc done.

------- Comment #7 From Jeroen Roovers 2006-03-06 11:34:33 0000 ------- 
hppa done.

------- Comment #8 From Thierry Carrez (RETIRED) 2006-03-06 13:03:52 0000 ------- 
*** Bug 124612 has been marked as a duplicate of this bug. ***

------- Comment #9 From Chris White (RETIRED) 2006-03-07 20:41:15 0000 ------- 
x86.. handled.

------- Comment #10 From Tobias Scherbaum 2006-03-09 12:03:51 0000 ------- 
ppc stable

------- Comment #11 From Chris White (RETIRED) 2006-03-10 12:28:25 0000 ------- 
amd64 stable.

------- Comment #12 From donald webster 2006-03-11 05:46:17 0000 ------- 
2.0.4 just came out, another security release.  Renaming to 2.0.4 should work
fine.

------- Comment #13 From Stefan Cornelius (RETIRED) 2006-03-11 06:37:11 0000 ------- 
Thanks for informing us, I created a new bug for 2.0.4 (bug #125830). Also
added the new bug as depending as a headsup, because we'll probably handle both
bugs in one GLSA.

------- Comment #14 From Thierry Carrez (RETIRED) 2006-03-12 03:46:36 0000 ------- 
Uncalling arch since we'll have to release 2.0.4 as security fix too.

------- Comment #15 From Renat Lumpau 2006-03-15 08:37:08 0000 ------- 
in CVS

------- Comment #16 From Stefan Cornelius (RETIRED) 2006-03-17 04:02:24 0000 ------- 
closing without glsa, feel free to reopen if you disagree.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug