Description: Gallery 1.5-pl1 is now available for download. It fixes several major security issues and it is strongly recommended that all users of 1.5 upgrade to this release immediately. Gallery 1.5.1-RC3 is also now available for download. This release fixes several small issues discovered in the second Release Candidate including the security problems found in 1.5, and should be the final release candidate before 1.5.1.
1.5_p1 and 1.5.1_rc3 are in CVS. Security folks - gallery-1.4.4_p6 is stable on a bunch of arches, so please do your usual dance.
/me dances: Arches please test and mark 1.5_p1 stable Target KEYWORDS="alpha amd64 hppa ppc sparc x86" Didn't really find what the "serious security issues" were, though.
Stable on SPARC.
Stable on alpha
stable on x86
Stable on ppc and hppa.
amd64 stable
Time for GLSA decision. This is what I could gather from the Changelog: 2005-08-24 Jay Rossiter <cryptographite@users.sf.net> 1.5-pl1-cvs-b2 * Fix: Prevent two file exposure bugs in stats module (thanks to ilia for one of them) 2005-08-23 Jay Rossiter <cryptographite@users.sf.net> 1.5-pl1-cvs-b1 * Fix: Prevent HTML tags inside EXIF info from being displayed without escaping. Based on that I tend to vote NO.
Here is what I gathered from Debian Changelog : * SECURITY: + Fix privilege escalation in Postnuke integration. References: CAN-2005-2596 + Fix XSS issue in EXIF tag handling (Closes: #325285) + Fix two file exposure bugs in stats module. CAN-2005-2596 is http://secunia.com/advisories/16389, fixed since 1.5.1RC2, but maybe unfixed in 1.5_pl1 The other two are http://secunia.com/advisories/16594 I tend to vote yes.
"This can be exploited by PostNuke users with any admin privilege levels to gain access to other user's albums." If that's the only impact (along with the xss and file disclosure), I would vote NO.
i'd say no, they all seem to be pretty minor
Closing without GLSA. Feel free to reopen if you disagree.
