Jim Paris discovered a few security problems in Gallery which have been addressed in this security release. The primary problem is a cross site scripting vulnerability which allows code to be inserted into a Gallery by using specially formed URLs. This code then appears to be part of the Gallery. No risk is posed to the webserver-itself or any non-Gallery data, but a Gallery install could be compromised using appropriate code. All Gallery users are very strongly urged to upgrade to 1.4.4-pl3 immediately, which fixes this serious problem and will secure your system.
web-apps, please bump to 1.4.4-pl3.
Created attachment 43201 [details] gallery-1.4.4_p3.ebuild This is based on the ebuild I did for 2.0_alpha3. It's pretty much the same as 1.4.4_p2 with the additions of imagemagick use flag, and better support for virtual hosts.
EDIT: This release is a replacement for 1.4.4-pl3 which had an issue discovered shortly after release. Jim Paris discovered a few security problems in Gallery which have been addressed in 1.4.4-pl4. The primary problem is a cross site scripting vulnerability which allows code to be inserted into a Gallery by using specially formed URLs. This code then appears to be part of the Gallery. No risk is posed to the webserver-itself or any non-Gallery data, but a Gallery install could be compromised using appropriate code. All Gallery users are very strongly urged to upgrade to 1.4.4-pl4 immediately, which fixes this serious problem and will secure your system. =============================== web-apps, please bump to 1.4.4-pl4 ;)
Okay, I'll look at p4 instead ;-)
Okay, p4 seems to be fine. Ebuild in CVS, and marked stable on x86.
archs, please mark gallery-1.4.4_p4 stable.
stable on ppc
sparc stable.
Stable on alpha.
GLSA 200411-10 hppa, please mark stable to benefit from glsa.