Just got a mail from the gallery-announce list: Gallery 2.0.3 is now available for download. This release adds no new features. It fixes a minor XSS exploit and an exploit in the session code that could allow users to remotely delete session files. These security flaws were discovered during an independent audit by James Bercegay from GulfTech Security Research who reported them to us and worked with us to provide an appropriate solution. There are no known exploits of these flaws in the wild. However we strongly recommend that you upgrade to version 2.0.3 as soon as possible. Please follow our upgrading instructions and download and install the latest release. Upgrading is quick and easy and will help you ensure the security of your system. Visit http://gallery.menalto.com/gallery_2.0.3_released for more details. Patch Files: http://codex.gallery2.org/index.php/Gallery2:Download#Upgrades Instructions: http://codex.gallery2.org/index.php/Gallery2:Upgrading_to_2.0.x If you have any questions, please ask in the Gallery 2 forums: http://gallery.menalto.com/forum/62 regards, The Gallery Team
Created attachment 81178 [details] Possible 2.0.3 ebuild? I commented out the ffmpeg patch, because I didn't wasn't 100% sure if it needed to be applied.
Created attachment 81179 [details] faster, harder, better, stronger! I've uncommented the patch line after looking at the 2.0.3 source and finding the elderly "singlejpeg" line.
Updating status, web-apps please bump
bumped
Arches please test and mark 2.0.3 stable
sparc done.
hppa done.
*** Bug 124612 has been marked as a duplicate of this bug. ***
x86.. handled.
ppc stable
amd64 stable.
2.0.4 just came out, another security release. Renaming to 2.0.4 should work fine.
Thanks for informing us, I created a new bug for 2.0.4 (bug #125830). Also added the new bug as depending as a headsup, because we'll probably handle both bugs in one GLSA.
Uncalling arch since we'll have to release 2.0.4 as security fix too.
in CVS
closing without glsa, feel free to reopen if you disagree.