Important changes: diff modules/core/CoreModuleExtras.inc modules/core/CoreModuleExtras.inc 23c23 < * @version $Revision: 1.113.2.1 $ $Date: 2005/10/13 16:47:51 $ --- > * @version $Revision: 1.113.2.2 $ $Date: 2005/11/24 00:46:16 $ 1210a1211,1213 > case '1.0.0.1': > /* Security fix in zipcart */ > 1379a1383 > case '1.0.0.1': diff modules/core/ItemAddFromWeb.inc modules/core/ItemAddFromWeb.inc 23c23 < * @version $Revision: 1.25 $ $Date: 2005/08/23 03:49:02 $ --- > * @version $Revision: 1.25.4.1 $ $Date: 2005/11/24 05:42:57 $ 169a170,173 > > /* Avoid XSS by eliminating any HTML from the url */ > $url = str_replace(array('<', '>'), array('<', '>'), $url); diff upgrade/steps/CleanCacheStep.class upgrade/steps/CleanCacheStep.class 45a46,55 > /* > * Delete the install.log file that's left over from 2.0 and 2.0.1 installs > * since it's in a known location and contains potential information leaks. > */ > $dataBase = $gallery->getConfig('data.gallery.base'); > $legacyInstallLogPath = sprintf('%s/install.log', $dataBase); > if ($platform->file_exists($legacyInstallLogPath)) { > $platform->unlink($legacyInstallLogPath); > } >
From #gallery: <mindless> 2.0.2 basically contains: security fix in zipcart to prevent reading server files, avoid XSS attack if add-from-web is directed to a maliciously constructed website, obscured name for install.log
Sune just an FYI that you pasted the core diffs. The zipcart issue looks to be even more serious. Either way getting 2.0.2 in portage ASAP would be a Good Thing.
Perhaps I'm just not intimately familiar with how the security team judges things, but I think this warrants higher than 'trivial'. Just my opinion. Can anyone from web-apps add an ebuild for 2.0.2? It would just be a copy of 2.0.1.
Don, somehow I managed to miss pasting some of the diff. It's rated trivial because version 2 was never stable on any arch. For details see: http://www.gentoo.org/security/en/vulnerability-policy.xml
Ah I didn't realize 2 wasn't stable. My apologies then. Definitely should be ;)
2.0.2 in CVS, enjoy. rizzo - I assume that's what your urgent ping was about?
Thx Renat, Closing without GLSA.