Summary: | www-apps/gallery: "username" XSS vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Luke Macken (RETIRED) <lewk> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://theinsider.deep-ice.com/texts/advisory69.txt | ||
Whiteboard: | A4 [glsa] lewk | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 72036 | ||
Bug Blocks: |
Description
Luke Macken (RETIRED)
2005-01-18 08:22:15 UTC
Good catch Lewk, didn't notice that Secunia changed the affected versions from the initial advisory. web-apps please verify and advise. I confirmed this with upstream, and -pl5 will be getting released shortly with these fixes. From Debian Security Advisory DSA 642-1 CAN-2004-1106 Jim Paris discovered a cross site scripting vulnerability which allows code to be inserted by using specially formed URLs. CVE-NOMATCH The upstream developers of gallery have fixed several cases of possible variable injection that could trick gallery to unintended actions, e.g. leaking database passwords. Please make sure this is the same and/or it's fixed too :) CAN-2004-1106 has been advised in GLSA 200411-10. I assume that the CVE-NOMATCH issue koon mentioned is already fixed since we are using a way newer version of gallery then debian does. This isn't going to get fixed quickly. Gallery relies on an older version of ImageMagick which has recently disappeared from the tree ... :( Best regards, Stu When CVS returns, I will package-mask Gallery for now. Best regards, Stu XSS downgrading severity. http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147&mode=thread&order=0&thold=0 Gallery 1.4.4-pl5 is out. 1.4.4-pl5 fixes both the XSS and the issue with ImageMagick. Nothing probably needs to change in the ebuild aside from the version number. web-apps: please unmask and bump Looks like swtaylor bumped the ebuild, all arches are marked stable, good catch lewk. Pls enter a changelog entry and post to the bug next time, makes keeping track a little easier. Moving to glsa status since maintainer kept keywords. GLSA 200501-45 by lewk Apparently Gallery is still vulnerable? http://www.securityfocus.com/archive/1/389270 web-apps, please verify and advise. - - - The recent release of 1.4.4-pl5 was meant to resolve some security problems, however after another analysis of the code the fix did not actually fix what it was intended to. 1.4.4-pl6 is now available and should properly fix the security problems. Please see the 1.4.4-pl5 announcement for more information about the security problems. All Gallery users are strongly urged to upgrade to 1.4.4-pl6 immediately, which fixes this problem and will secure your system. Gallery 1.4.4-pl6 can be downloaded from http://sourceforge.net/project/showfiles.php?group_id=7130 -Chris Gallery Project Manager - - - web-apps, please bump. http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=149&mode=thread&order=0&thold=0 gallery 1.4.4-pl6 released This should fix the unfixed bug swtaylor strikes again! He bumped -pl6 a few days ago, and retained keywords. Moving to GLSA status. Security, please vote I vote YES for an update to the old GLSA. I will write and UPDATE glsa. GLSA 200501-45 has been updated, and an UPDATE GLSA sent. |