Secunia writes: Some vulnerabilities have been reported in Gallery, which can be exploited by malicious users to disclose sensitive information, bypass certain security restrictions, and manipulate data, and by malicious people to conduct cross-site scripting attacks. 1) An unspecified error can be exploited by malicious users to disclose potentially sensitive information. 2) Various components do not properly enforce role based access controls. This can be exploited to bypass access restrictions and e.g. perform sensitive actions. 3) Various components expose certain functionality which can be exploited to list directories and e.g. read and delete files or write to existing files. 4) Certain input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 5) Some vulnerabilities are caused due to "Insecure Command Execution" when e.g. processing archives or watermarks. The vulnerabilities are reported in versions prior to 1.5.8. SOLUTION: Update to version 1.5.8 PROVIDED AND/OR DISCOVERED BY: The vendor credits Digital Security Research Group and Gotham Digital Science. ORIGINAL ADVISORY: http://gallery.menalto.com/gallery_1.5.8_released
Removed gallery-1.5.3, 1.5.7, added 1.5.8. Targets: alpha amd64 hppa ppc sparc x86
Arches, please test and mark stable: =www-apps/gallery-1.5.8 Target keywords : "alpha amd64 hppa ppc sparc x86"
Is -1.5.8 preferred over -2.2.5 which is already stable on everything?
gallery 1.X and 2.X are maintained independently, and our (previous stable) 1.5.3 ebuild has been removed. If web-apps decides to maintain 1.X (as does upstream), we need to mark the 1.5.8 version stable.
Seems strange, but OK. Sparc stable.
alpha/x86 stable
>>> Install gallery-1.5.8 into /mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/image/ category www-apps dodoc: AUTHORS does not exist dodoc: ChangeLog does not exist dodoc: ChangeLog.archive does not exist dodoc: README does not exist cp: cannot stat `./gallery-1.5.8/gallery': No such file or directory install: cannot stat `/mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/temp/gallery': No such file or directory * (info) /keeps/gentoo/portage/www-apps/gallery/files/postinstall-en.txt (lang: en) >>> Completed installing gallery-1.5.8 into /mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/image/ That doesn't seem right...
Stable for HPPA.
@web-apps: please fix the thingie in comment #7, so ugly =) amd64 stable
Fixed the installation errors in CVS.
ppc stable
time for GLSA decision, I vote YES.
YES too, request filed.
Hrm, removed stable version before we stabilized this one. My mistake. Anyhow, the new version got stabilizied pretty fast and nobody complained so I guess it was okay. webapps done.
GLSA 200811-02, thanks everyone, sorry about the delay.
