From ${URL} : Description Two vulnerabilities with an unknown impact have been reported in Gallery. The vulnerabilities are caused due to unspecified errors. No further information is currently available. The vulnerabilities are reported in versions prior to 3.0.9. Solution: Update to version 3.0.9. Provided and/or discovered by: The vendor credits Malte Batram and Dhaval Chauhan. Original Advisory: http://galleryproject.org/gallery_3_0_9 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
the vulnerable versions are off the tree and only 3.0.9 remains.
blueness reports that this vulnerability only affects the 3.x branch, which is new in tree and has not been stabilized at all. Changing to ~ and closing.
CVE-2013-2138 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2138): The (1) uploadify and (2) flowplayer SWF files in Gallery 3 before 3.0.8 do not properly remove query parameters and fragments, which allows remote attackers to have an unspecified impact via a replay attack.