Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 69904
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Luke Macken (RETIRED) <lewk@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
gallery-1.4.4_p3.ebuild gallery-1.4.4_p3.ebuild text/plain Tom Hosiawa 2004-11-02 17:53 0000 1.20 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 69904 depends on: Show dependency tree
Bug 69904 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-11-02 16:47 0000 
Jim Paris discovered a few security problems in Gallery which have been 
addressed in this security release. The primary problem is a cross site 
scripting vulnerability which allows code to be inserted into a Gallery 
by using specially formed URLs. This code then appears to be part of the 
Gallery.

No risk is posed to the webserver-itself or any non-Gallery data, but a 
Gallery install could be compromised using appropriate code.

All Gallery users are very strongly urged to upgrade to 1.4.4-pl3 
immediately, which fixes this serious problem and will secure your system.

------- Comment #1 From Luke Macken (RETIRED) 2004-11-02 16:48:59 0000 ------- 
web-apps,

please bump to 1.4.4-pl3.

------- Comment #2 From Tom Hosiawa 2004-11-02 17:53:21 0000 ------- 
Created an attachment (id=43201) [details]
gallery-1.4.4_p3.ebuild

This is based on the ebuild I did for 2.0_alpha3.

It's pretty much the same as 1.4.4_p2 with the additions of imagemagick use
flag, and better support for virtual hosts.

------- Comment #3 From Luke Macken (RETIRED) 2004-11-03 12:26:24 0000 ------- 
EDIT: This release is a replacement for 1.4.4-pl3 which had an issue discovered
shortly after release.

Jim Paris discovered a few security problems in Gallery which have been
addressed in 1.4.4-pl4. The primary problem is a cross site scripting
vulnerability which allows code to be inserted into a Gallery by using
specially formed URLs. This code then appears to be part of the Gallery.

No risk is posed to the webserver-itself or any non-Gallery data, but a Gallery
install could be compromised using appropriate code.

All Gallery users are very strongly urged to upgrade to 1.4.4-pl4 immediately,
which fixes this serious problem and will secure your system.

===============================

web-apps,

please bump to 1.4.4-pl4 ;)

------- Comment #4 From Stuart Herbert (RETIRED) 2004-11-03 12:38:14 0000 ------- 
Okay, I'll look at p4 instead ;-)

------- Comment #5 From Stuart Herbert (RETIRED) 2004-11-04 15:00:16 0000 ------- 
Okay, p4 seems to be fine.  Ebuild in CVS, and marked stable on x86.

------- Comment #6 From Luke Macken (RETIRED) 2004-11-04 16:20:39 0000 ------- 
archs, please mark gallery-1.4.4_p4 stable.

------- Comment #7 From Jochen Maes (RETIRED) 2004-11-05 01:45:41 0000 ------- 
stable on ppc

------- Comment #8 From Gustavo Zacarias (RETIRED) 2004-11-05 09:38:38 0000 ------- 
sparc stable.

------- Comment #9 From Bryan Østergaard (RETIRED) 2004-11-05 16:23:11 0000 ------- 
Stable on alpha.

------- Comment #10 From Luke Macken (RETIRED) 2004-11-06 11:11:39 0000 ------- 
GLSA 200411-10

hppa, please mark stable to benefit from glsa.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug