SQL injection vulnerability exists in all versions of piwigo prior to 11.5.0. I see no way of exploiting this vulnerability except as having already been logged in as a user with administrative (to the web gallery) privileges and such a user would probably already have administrative level access to the database. Upgrading is as easy as renaming the ebuild.
Thanks for the report! No need to populate package list, this is an unstable package, and version doesn't go in summary without that version in tree
*** Bug 790449 has been marked as a duplicate of this bug. ***
Thanks for both bug reports, sorry I did not have acccess to my dev box for few days. New version works fine here, bump and cleanup in progress
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cf85216ff23071c8a6714c58ed5d6b5e1c67e70 commit 4cf85216ff23071c8a6714c58ed5d6b5e1c67e70 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-05-19 08:21:45 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-05-19 10:06:01 +0000 www-apps/piwigo: 11.5.0 version bump Drop previous version for security bug Bug: https://bugs.gentoo.org/790728 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/piwigo/Manifest | 2 +- www-apps/piwigo/{piwigo-11.4.0.ebuild => piwigo-11.5.0.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)
Thank you! All unstable, all done.
