Your message dated Thu, 18 Sep 2008 21:03:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#499408: fixed in gallery2 2.2.6-1
has caused the Debian Bug report #499408,
regarding Gallery 2.2.6 Security Fix Release available
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
499408: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499408
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: gallery2
Severity: grave
Tags: security
A new version has been released which fixes the following bugs:
* Arbitrary file disclosure through archive upload module - Users with "add
item" permission could retrieve any file on the server that is owned by the
web server account. The problem is caused by incorrect handling of ZIP
archives that contain symbolic links.
The Gallery team would like to thank Alex Ustinov for bringing this issue to
our attention.
* Insecure cookies over HTTPS - When accessing Gallery over HTTPS, cookies
were missing the "secure" flag, leaving the connection vulnerable to cookie
sniffing attacks.
The Gallery team would like to thank Hanno Boeck for bringing this issue to
our attention.
* XSS through malicious Flash files - Flash animations that are embedded in
Gallery are no longer allowed to interact with the embedding page and are no
longer allowed to open network connections.
While this protects visitors of your Gallery from potentially malicious Flash
animations, the Gallery team would like to use this opportunity to remind you
that it is generally highly recommended to only allow trusted users to add any
files to your Gallery.
For more informations, see http://gallery.menalto.com/gallery_2.2.6_released
Thanks and with kind regards, Jan.
--
Never write mail to <[EMAIL PROTECTED]>, you have been warned!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
------END GEEK CODE BLOCK------
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: gallery2
Source-Version: 2.2.6-1
We believe that the bug you reported is fixed in the latest version of
gallery2, which is due to be installed in the Debian FTP archive:
gallery2_2.2.6-1.diff.gz
to pool/main/g/gallery2/gallery2_2.2.6-1.diff.gz
gallery2_2.2.6-1.dsc
to pool/main/g/gallery2/gallery2_2.2.6-1.dsc
gallery2_2.2.6-1_all.deb
to pool/main/g/gallery2/gallery2_2.2.6-1_all.deb
gallery2_2.2.6.orig.tar.gz
to pool/main/g/gallery2/gallery2_2.2.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael C. Schultheiss <[EMAIL PROTECTED]> (supplier of updated gallery2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 18 Sep 2008 19:43:30 +0000
Source: gallery2
Binary: gallery2
Architecture: source all
Version: 2.2.6-1
Distribution: unstable
Urgency: high
Maintainer: Michael C. Schultheiss <[EMAIL PROTECTED]>
Changed-By: Michael C. Schultheiss <[EMAIL PROTECTED]>
Description:
gallery2 - web-based photo album written in PHP
Closes: 471160 499408
Changes:
gallery2 (2.2.6-1) unstable; urgency=high
.
* Urgency high due to security fixes (CVE-2008-3662)
* New upstream release (Closes: #499408)
* Use system adodb rather than embedded copy
(Thanks to Jan Wagner. Closes: #471160)
+ debian/control: Add Depends on libphp-adodb
Checksums-Sha1:
ab6f9c24812ae2e10eec0f277ac3fcdb52fb86f3 993 gallery2_2.2.6-1.dsc
a3dfb86e2a0287795b3a2b859b12753141c68828 12038651 gallery2_2.2.6.orig.tar.gz
9fd217860f53b77e2d5400d3ce7a58600c6382f6 22725 gallery2_2.2.6-1.diff.gz
6922093f08c47e09a06fbdcc7d6ee42a686036f5 11922356 gallery2_2.2.6-1_all.deb
Checksums-Sha256:
737d33e29485d86842679e800d3f14740f8a459d09a2e083767108aa777d325e 993
gallery2_2.2.6-1.dsc
3ef47029e3069bf49beba29670b88e022d0b31708bf7403aff5f80e1c41152f8 12038651
gallery2_2.2.6.orig.tar.gz
e658bbe352b291031443df8aebb53008da09a7940c26b610c582c6d786db7413 22725
gallery2_2.2.6-1.diff.gz
2b0507523b03fc033821692d302dcc2959373cd7fd231c05327ff39d7e3ff1f3 11922356
gallery2_2.2.6-1_all.deb
Files:
6cb125369d1dd0a544f02f352e127d82 993 web optional gallery2_2.2.6-1.dsc
dff39c394a91a82f4fee1e27fa42734e 12038651 web optional
gallery2_2.2.6.orig.tar.gz
9f4d55d7b43565fd2810c8a328977ee4 22725 web optional gallery2_2.2.6-1.diff.gz
3a592d6a97b4f2b5d23f12d0de0ecb54 11922356 web optional gallery2_2.2.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFI0rSQyJBzD6P54w4RAu4gAJ0by5jsye0mN9lCIZQD18iyGy6rwwCfTL+q
o/pt+3HMfK9qsQ2G+NW2Ukk=
=9Ta8
-----END PGP SIGNATURE-----
--- End Message ---
