Summary: | www-apps/gallery: XSS vulnerability | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Luke Macken (RETIRED) <lewk> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | e.montezinos, m.debruijne, web-apps | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
URL: | http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=141&mode=thread&order=0&thold=0 | ||||||
Whiteboard: | B4 [glsa] lewk | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Luke Macken (RETIRED)
2004-11-02 16:47:36 UTC
web-apps, please bump to 1.4.4-pl3. Created attachment 43201 [details]
gallery-1.4.4_p3.ebuild
This is based on the ebuild I did for 2.0_alpha3.
It's pretty much the same as 1.4.4_p2 with the additions of imagemagick use
flag, and better support for virtual hosts.
EDIT: This release is a replacement for 1.4.4-pl3 which had an issue discovered shortly after release. Jim Paris discovered a few security problems in Gallery which have been addressed in 1.4.4-pl4. The primary problem is a cross site scripting vulnerability which allows code to be inserted into a Gallery by using specially formed URLs. This code then appears to be part of the Gallery. No risk is posed to the webserver-itself or any non-Gallery data, but a Gallery install could be compromised using appropriate code. All Gallery users are very strongly urged to upgrade to 1.4.4-pl4 immediately, which fixes this serious problem and will secure your system. =============================== web-apps, please bump to 1.4.4-pl4 ;) Okay, I'll look at p4 instead ;-) Okay, p4 seems to be fine. Ebuild in CVS, and marked stable on x86. archs, please mark gallery-1.4.4_p4 stable. stable on ppc sparc stable. Stable on alpha. GLSA 200411-10 hppa, please mark stable to benefit from glsa. |