Gallery 1.5.8 Released

Gallery 1.5.8 is now available for download. This release fixes many security issues including some serious security issues. It also resolves as well as a handful of bugs and reorganizes the internal API some (which is documented here). We strongly recommend that all users of Gallery 1.5.7 and earlier upgrade to this release to protect your Gallery installation. You can download Gallery 1.5.8 from the Gallery 1 download page on SourceForge. Upgrade instructions are available on our documentation site. Please discuss any issues specific to this release in this forum thread.

One security issue was reported to us in private by the Digital Security Research Group [DSecRG] who were professional and are waiting until after this release to publish their findings.

The most of the security issues resolved in this release are the result of a security audit performed by Gotham Digital Science (GDS). They are experts in application security, as this is the primary focus of their business. We recognize that hiring external consultants to perform security audits does not guarantee that our code is bug-free and by no means un-hackable, but it clearly indicates our willingness to perform due diligence to make sure our code is reasonably secure. The combination of an external perspective of security experts and the insight of internal experts both performing detailed audits is yielding much better results than only one of the two perspectives alone. While these security fixes are not in our public source code repository prior to the release, we will begin adding them to it as soon as possible once this story is posted.

schultmc's picture

Version 1.5.8-1 of the Debian gallery package was uploaded in the afternoon (EDT) on 2008-08-05 and should be available in Debian unstable after the archive run in the afternoon (EDT) on 2008-08-05.

--
Debian gallery package maintainer

Thank you so much for supporting gallery 1.xxx. Upgrade works fine, great job. Please stay tuned with Gallery 1.xxx ! Best Regards Ollie

sruckh's picture

in the lib/ sub-directory I had a file named Form.php, I had to rename this file to form.php before I could upgrade from 1.5.7. It appears the file in the package is correct:

gallery-1.5.8/lib/form.php

I am kind of wondering what happened here, but I thought I would post in case others see this issue??