Red Hat Bugzilla – Bug 462703
Gallery 2.2.6 Security Fix Release
Last modified: 2008-12-13 10:07:42 EST
Description of problem:
Gallery2-2.2.6 was just released addressing a critical security errata.
The details of this update can be found here:
It fixes security flaws:
* Arbitrary file disclosure through archive upload module - Users with "add
item" permission could retrieve any file on the server that is owned by the
web server account. The problem is caused by incorrect handling of ZIP
archives that contain symbolic links.
The Gallery team would like to thank Alex Ustinov for bringing this issue
to our attention.
* Insecure cookies over HTTPS - When accessing Gallery over HTTPS, cookies were
missing the "secure" flag, leaving the connection vulnerable to cookie
The Gallery team would like to thank Hanno Boeck for bringing this issue
to our attention.
* XSS through malicious Flash files - Flash animations that are embedded in
Gallery are no longer allowed to interact with the embedding page and are no
longer allowed to open network connections.
While this protects visitors of your Gallery from potentially malicious Flash
animations, the Gallery team would like to use this opportunity to remind you
that it is generally highly recommended to only allow trusted users to add
any files to your Gallery.
Ping. Anything in progress?
Updating to 2.2.6 should be abandoned in favor of packaging 2.3 instead.
I can't quite believe that a security bug was allowed to sit for two months.
gallery2-2.3-1.fc10 has been submitted as an update for Fedora 10.
gallery2-2.3-1.fc9 has been submitted as an update for Fedora 9.
gallery2-2.3-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
gallery2-2.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.