Multiple vulnerabilities have been fixed [0] in piwigo-14.3.0, worst of which is an undisclosed RCE through XSS [1]. Another two are stored XSS [2,3]. For upgrading it is enough to rename the ebuild. [0] https://piwigo.org/release-14.3.0 [1] https://github.com/Piwigo/Piwigo/security/advisories/GHSA-8g2g-6f2c-6h7j [2] https://github.com/Piwigo/Piwigo/security/advisories/GHSA-7379-w44f-mfw4 [3] https://github.com/Piwigo/Piwigo/security/advisories/GHSA-p362-cfpj-q55f
14.3.0 is in tree already, removing previous vulnerable version
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=747136bab9f1307319c6ab1e4a8071702e296927 commit 747136bab9f1307319c6ab1e4a8071702e296927 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2024-03-03 18:17:04 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2024-03-03 18:17:50 +0000 www-apps/piwigo: drop 14.2.0 vulnerable version Bug: https://bugs.gentoo.org/925931 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/piwigo/Manifest | 1 - www-apps/piwigo/piwigo-14.2.0.ebuild | 44 ------------------------------------ 2 files changed, 45 deletions(-)
Thanks for the quick action!