Gallery 2.2.5 Security Fix Release
Gallery 2.2.5 is now available for download. This release fixes critical security issues, no new features have been added. Users of all previous Gallery 2 versions are strongly encouraged to upgrade to version 2.2.5 as soon as possible! All issues addressed in this release have been discovered in internal security audits.
Since 2.2.5 is a security release, it shares the same installation requirements as 2.2.4. If you haven't upgraded to 2.2.x yet, please review the Gallery 2.2 release notes for highlights of changes and the requirements. Read on for more details and upgrade instructions.
Upgrading is quick and easy
- Users of Gallery 2.1 or earlier should review release notes for requirement changes and update all application files.
- Users of Gallery 2.2 or later (2.2.1, 2.2.2, 2.2.3 or 2.2.4) can use an update file to upgrade specific core files and then upgrade the affected modules via Downloadable Plugins.
- After the upgrade, users of the Password module should check if any non-album items are password protected directly in their gallery. If this is the case, the password protection should be removed from that item and it should be protected with normal view permissions or moved into an album that is password protected.
Regardless of your Gallery's version, review the upgrading instructions for complete details.
Gallery 2.2.5 addresses the following security vulnerabilities:
- XSS through host and path component of request URL - The complete request URL is now properly sanitized (applying the same input filtering as for all other inputs). This severe vulnerability affects all modules.
- Information disclosure in album-select module - Fixed exposure of album titles through the album-select module when a guest would add a new album to a hidden album.
- Permission escalation through zip archive extraction - No longer creating sub-albums when adding items from a zip archive if the active user does not have the necessary permission to do so.
- Information disclosure through embed.php - embed.php is no longer susceptible to spoofing the remote address and thus no longer discloses the local filesystem path of the Gallery 2 installation folder.
- View permissions not enforced for password protected items - No longer offering the option to protect non-album items directly and only offering the feature for albums since full protection only applies to the items within the album.