Gallery 2.0.3 Security Fix Release

Gallery 2.0.3 is now available for download. This release adds no new features. It fixes a minor XSS exploit and an exploit in the session code that could allow users to remotely delete session files. These security flaws were discovered during an independent audit by James Bercegay from GulfTech Security Research who reported them to us and worked with us to provide an appropriate solution. There are no known exploits of these flaws in the wild. However we strongly recommend that you upgrade to version 2.0.3 as soon as possible. Please follow our upgrading instructions and download and install the latest release.
scaturan's picture

thanks for the heads up!

Whatn is the impact on 2.1 Rc1?

edit: last line "upgrade to 2.0.3" :)

Error??? In teh news??? I don't see it!!!! ;)
_________________________________
Support & Documentation || Donate to Gallery || My Website

mindless's picture

Status for 2.1: one of the two fixes in this patch release is already in 2.1-RC-1, the other is in current CVS / nightly snapshots now and will be in 2.1-RC-2 next week.

Great upgrade! Always like it when security fixes are being done, gives me a good feeling ;) Keep it coming!

fryfrog wrote:
Error??? In teh news??? I don't see it!!!! ;)

eeettt wasss feeeexed! they were super fast and stealth-like :O
Either way, i'm glad to see they're very on top of these fixes. I love this team/project! :)

schultmc's picture

Version 2.0.3-1 of the Debian gallery2 package was uploaded to Debian unstable in the evening (EST) on Thursday, March 2, 2006 and will be made available as of the archive run in the afternoon (EST) on Friday, March 3, 2006.

--
Debian gallery package maintainer

VENCO's picture

I upgraded to 2.0.3 after having installed a nightly of 2.1rc1. I don't recommend doing this as it didn't work for me.

Are the enhancements in 2.0.3 included in the current 2.1 nightlies?
________________________
~GAME ON!!
[img]http://indefik.com/pics/forumrandom.jpg[/img]

mindless's picture

VENCO, read above regarding 2.1.

VENCO's picture

Right on! My bad...
Nice work on the everything guys. The program's been working excellent for me!
________________________
~GAME ON!!
[img]http://indefik.com/pics/forumrandom.jpg[/img]

Could someone please help?!
I updated my gallery-installation by cvs update -Pd
now the following errors appear when trying to update my cvs version of gallery: (I try to translate - my site is german)
step2:

Quote:
File-Integrity - Warning
(changed files 130)
(old files 4)

I did an CVS-Update!

this I ignore, going to step 3:

Quote:
installed now : 1.0.10
new version: 1.0.30
upgrade of config.php: needed

Quote:
Your upgrade cannot begin because some of your active modules/themes are incompatible or missing. You must either locate more recent versions of these modules or themes, or revert to your original version of Gallery. ...

Quote:
Theme PGtheme is incompatible

o.k. what to do now? I already downloaded/unzipped PGtheme 1.0.RC7, that didn't help, also, I don't have any access to my gallery-administration (ony update screen comes up) to deinstall that theme - or do I have to delete all files of the theme by hand?
I dont't care about the theme, I don't use it, just installed to look at it.

please help!

thx.

(something rings in my head that I may have installed the RC1 of 2.1 instead to 2.0.30 when running the CVS command? So how to come back to 2.0.30 via cvs?)

scaturan's picture

ckuka:

try the G2 forums at http://gallery.menalto.com/forum/66
don't post here, you won't get any assistance and will only make things hard for people to read comments.

Great update, well done. Keep it coming! :)

lisa

mindless's picture

We did.. go get 2.0.4!