Bug 39638

Summary:	gallery < 1.4.1-pl1 remote exploit
Product:	Gentoo Linux	Reporter:	Rajiv Aaron Manglani (RETIRED) <rajiv>
Component:	New packages	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	web-apps
Priority:	High	Keywords:	SECURITY
Version:	1.4
Hardware:	All
OS:	All
URL:	http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=107&sid=107
Whiteboard:
Package list:		Runtime testing required:	---

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev

2004-01-27 23:05:30 UTC

from <http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=107&sid=107>:

Notice if you use Gallery versions 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 (current release):

We have discovered a well-hidden but potentially serious security flaw in these versions of Gallery which can allow a hacker to remotely exploit your webserver. All Gallery users are strongly urged to upgrade to 1.4.1-pl1 immediately, which fixes this serious problem and will secure your system.

Thanks to Fred (vrotogel) for quickly alerting us to this issue.

Gallery 1.4.1-pl1 can be downloaded from the Gallery Download Page.

If you use version 1.4.1 and would like to patch your existing installation rather than downloading the full updated version, click to read on...


see also <http://www.securityfocus.com/archive/1/351449>

new version in portage, marked stable. glsa to be sent.

Comment 1 solar (RETIRED) gentoo-dev

2004-01-27 23:41:10 UTC

This is the 3rd time I think I've seen this program has become exploitable.
shame on the coders!

Comment 2 SpanKY gentoo-dev

2004-02-10 22:16:44 UTC

this was version bumped into stable 25 Jan 2004 by mholzer

GLSA can be sent out as soon as one is made

Comment 3 Tim Yamin (RETIRED) gentoo-dev

2004-02-11 13:25:08 UTC

GLSA is out: http://article.gmane.org/gmane.linux.gentoo.announce/287

Thanks!