Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 39638 - gallery < 1.4.1-pl1 remote exploit
Summary: gallery < 1.4.1-pl1 remote exploit
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://gallery.menalto.com/modules.ph...
Whiteboard:
Keywords: SECURITY
Depends on:
Blocks:
 
Reported: 2004-01-27 23:05 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2004-02-11 13:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-01-27 23:05:30 UTC
from <http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=107&sid=107>:

Notice if you use Gallery versions 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 (current release):

We have discovered a well-hidden but potentially serious security flaw in these versions of Gallery which can allow a hacker to remotely exploit your webserver. All Gallery users are strongly urged to upgrade to 1.4.1-pl1 immediately, which fixes this serious problem and will secure your system.

Thanks to Fred (vrotogel) for quickly alerting us to this issue.

Gallery 1.4.1-pl1 can be downloaded from the Gallery Download Page.

If you use version 1.4.1 and would like to patch your existing installation rather than downloading the full updated version, click to read on...


see also <http://www.securityfocus.com/archive/1/351449>

new version in portage, marked stable. glsa to be sent.
Comment 1 solar (RETIRED) gentoo-dev 2004-01-27 23:41:10 UTC
This is the 3rd time I think I've seen this program has become exploitable.
shame on the coders!
Comment 2 SpanKY gentoo-dev 2004-02-10 22:16:44 UTC
this was version bumped into stable 25 Jan 2004 by mholzer

GLSA can be sent out as soon as one is made
Comment 3 Tim Yamin (RETIRED) gentoo-dev 2004-02-11 13:25:08 UTC
GLSA is out: http://article.gmane.org/gmane.linux.gentoo.announce/287

Thanks!