Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 925931 - <www-apps/piwigo-14.3.0: Multiple vulnerabilities
Summary: <www-apps/piwigo-14.3.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://piwigo.org/release-14.3.0
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-01 17:26 UTC by Alexander Bezrukov
Modified: 2024-03-04 06:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bezrukov 2024-03-01 17:26:45 UTC 
Multiple vulnerabilities have been fixed [0] in piwigo-14.3.0, worst of which is an undisclosed RCE through XSS [1]. Another two are stored XSS [2,3].

For upgrading it is enough to rename the ebuild.

[0] https://piwigo.org/release-14.3.0
[1] https://github.com/Piwigo/Piwigo/security/advisories/GHSA-8g2g-6f2c-6h7j
[2] https://github.com/Piwigo/Piwigo/security/advisories/GHSA-7379-w44f-mfw4
[3] https://github.com/Piwigo/Piwigo/security/advisories/GHSA-p362-cfpj-q55f
Comment 1 Bernard Cafarelli gentoo-dev 2024-03-03 18:17:39 UTC 
14.3.0 is in tree already, removing previous vulnerable version
Comment 2 Larry the Git Cow gentoo-dev 2024-03-03 18:17:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=747136bab9f1307319c6ab1e4a8071702e296927

commit 747136bab9f1307319c6ab1e4a8071702e296927
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2024-03-03 18:17:04 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2024-03-03 18:17:50 +0000

    www-apps/piwigo: drop 14.2.0 vulnerable version
    
    Bug: https://bugs.gentoo.org/925931
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/piwigo/Manifest             |  1 -
 www-apps/piwigo/piwigo-14.2.0.ebuild | 44 ------------------------------------
 2 files changed, 45 deletions(-)
Comment 3 Hans de Graaff gentoo-dev Security 2024-03-04 06:57:08 UTC 
Thanks for the quick action!