Bug 462703 - Gallery 2.2.6 Security Fix Release
Gallery 2.2.6 Security Fix Release
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: gallery2 (Show other bugs)
9
All Linux
high Severity medium
: ---
: ---
Assigned To: John Berninger
Fedora Extras Quality Assurance
http://gallery.menalto.com/gallery_2....
:
Depends On:
Blocks: CVE-2008-3662 CVE-2008-4129 CVE-2008-4130
  Show dependency treegraph
 
Reported: 2008-09-18 09:55 EDT by David Juran
Modified: 2008-12-13 10:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-13 10:01:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Juran 2008-09-18 09:55:41 EDT
Description of problem:
Gallery2-2.2.6 was just released addressing a critical security errata.
Comment 1 Josh Bressers 2008-09-18 13:22:11 EDT
The details of this update can be found here:
http://gallery.menalto.com/gallery_2.2.6_released

It fixes security flaws:

* Arbitrary file disclosure through archive upload module - Users with "add 
  item" permission could retrieve any file on the server that is owned by the 
  web server account. The problem is caused by incorrect handling of ZIP 
  archives that contain symbolic links.
      The Gallery team would like to thank Alex Ustinov for bringing this issue 
      to our attention.

* Insecure cookies over HTTPS - When accessing Gallery over HTTPS, cookies were 
  missing the "secure" flag, leaving the connection vulnerable to cookie 
  sniffing attacks.
      The Gallery team would like to thank Hanno Boeck for bringing this issue 
      to our attention.

* XSS through malicious Flash files - Flash animations that are embedded in 
  Gallery are no longer allowed to interact with the embedding page and are no 
  longer allowed to open network connections.

  While this protects visitors of your Gallery from potentially malicious Flash 
  animations, the Gallery team would like to use this opportunity to remind you 
  that it is generally highly recommended to only allow trusted users to add 
  any files to your Gallery.
Comment 2 Jonathan S. Shapiro 2008-09-27 17:41:32 EDT
Ping. Anything in progress?
Comment 3 Jonathan S. Shapiro 2008-11-18 09:19:13 EST
Updating to 2.2.6 should be abandoned in favor of packaging 2.3 instead.

I can't quite believe that a security bug was allowed to sit for two months.
Comment 4 Fedora Update System 2008-12-10 16:24:15 EST
gallery2-2.3-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/gallery2-2.3-1.fc10
Comment 5 Fedora Update System 2008-12-10 16:26:09 EST
gallery2-2.3-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/gallery2-2.3-1.fc9
Comment 6 Fedora Update System 2008-12-13 10:00:54 EST
gallery2-2.3-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-12-13 10:07:42 EST
gallery2-2.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.