Gallery 1.5.2-pl2 Security Release

Gallery 1.5.2-pl2 is now available for download. This release fixes several things:
  • A very major data loss issue with the zip download component. If a zip file is not successfully created, Gallery 1.5.2 and Gallery 1.5.2-pl1 will try and delete many more files than they should.
  • A very minor security problem where a user with write access to a server could create a specially formatted file, coerce someone with owner privileges in the Gallery to click on a specially formatted link, which could modify stored album data and possibly lead to local code execution. We thank Tom Saville (seregon at bughunter dot net) and his team from Digital Armaments for reporting this to us and giving us time to get a patch out.
  • Several other minor bugs.
We strongly recommend all Gallery 1.5.2 users upgrade immediately to 1.5.2-pl2 to avoid losing data on your webserver! Download Gallery 1.5.2-pl2 from the Gallery Download Page.
schultmc's picture

Version 1.5.2-pl2-1 of the Debian gallery package was uploaded to Debian unstable in the afternoon (EST) on Wednesday, February 8, 2006 and will be made available as of the archive run in the afternoon (EST) on Thursday, February 9, 2006.

--
Debian gallery package maintainer

schultmc wrote:
Version 1.5.2-pl2-1 of the Debian gallery package was uploaded to Debian unstable in the afternoon (EST) on Wednesday, February 8, 2006 and will be made available as of the archive run in the afternoon (EST) on Thursday, February 9, 2006.

--
Debian gallery package maintainer

Thanks a lot! Was looking forward to this. Have to wait till the afternoon though ;)

Makc666's picture
Quote:
Russian language for cp1251 doesn't work any more in Gallery 1.5.2-pl2 Security Release!!!

I was mistaken. There was some sorte of BUG in my Appache.conf

There must be line:

<IfModule mod_mime.c>
AddCharset WINDOWS-1251 .cp-1251
AddCharset WINDOWS-1251 .cp1251

So the translation works fine!

ckdake's picture

please post support issues in the forums. Thanks!

Makc666's picture

I found the problem and make a note here:
http://gallery.menalto.com/node/44437

"A very major data loss issue with the zip download component. If a zip file is not successfully created, Gallery 1.5.2 and Gallery 1.5.2-pl1 will try and delete many more files than they should."

how in the gods name can you people afford writing - even more, _releasing_ code that deletes all the albumus
... yeah - all that "we're doing it for free, accept as it is" - don't you have any pride?

am not a dumbuser, know how to program and admin., a victim and very dissapointed

hope you learn from it,
peace

bharat's picture

I'm sorry that you suffered a loss because of a mistake that we made. It's not a question of having pride in our product (which we do). It's a matter of putting enough process in place to test the code thoroughly before its released. We do this by releasing early and often, and reducing the amount of change as we get closer to release deadlines and increasing our test vigor. Unfortunately, due to the fact that our entire organization is volunteers we oftentimes do not get enough volunteers to do some of the more difficult and tedious aspects of the product release, namely doing black box testing. As a consequence, bugs occasionally slip through and they are difficult for us to prevent.

If you have concrete suggestions for ways that we could improve our process or attract more volunteers to help us with testing, we would be very happy to listen and incorporate them. You'll be happy to know that Gallery2 has well over 2000 unit tests that we use during our development and release process to ensure a very high level of quality. It was designed from the ground up to be the highest level of quality that we can manage.

blah blah. Instead of %itching about it you should have had nightly automated backup jobs scheduled for those "what if" scenarios. My server backs up my Gallery site, copies it to another local disk and then copies it to a network drive on a remote pc. Friend, you need to update your DR (Disaster Recovery) plans.

jaantark wrote:
"A very major data loss issue with the zip download component. If a zip file is not successfully created, Gallery 1.5.2 and Gallery 1.5.2-pl1 will try and delete many more files than they should."

how in the gods name can you people afford writing - even more, _releasing_ code that deletes all the albumus
... yeah - all that "we're doing it for free, accept as it is" - don't you have any pride?

am not a dumbuser, know how to program and admin., a victim and very dissapointed

hope you learn from it,
peace

jpeadro wrote:
blah blah. Instead of %itch=ing about it you should have had nightly automated backup jobs scheduled for those "what if" scenarios. My server backs up my Gallery site, copies it to another local disk and then copies it to a network drive on a remote pc. Friend, you need to update your DR (Disaster Recovery) plans.

Yeah you got that right jpeadro. All by the way, its not that a major problem disaster. Im sure you people will find a nice solution for it.

hi! i have a question. when we can downland a polish leanguage pack for gallery 1.5.2-pl2?

ckdake's picture

please ask support questions in the forums. All language files that we have are available at http://sourceforge.net/project/showfiles.php?group_id=7130&package_id=96735

thx for answer. Polish leanguage is now avaible :]

punkers wrote:
thx for answer. Polish leanguage is now avaible :]

Now still some other i need ;) Did you only needed the Polish one?