Gallery 1.5.9 Released

Gallery 1.5.9 is now available for download. This release fixes several security issues.

This version also resolves a handful of bugs found in Gallery 1.5.8. We strongly recommend that all users of Gallery 1.5.8 and earlier upgrade to this release to protect your Gallery installation. You can download Gallery 1.5.9 from the Gallery 1 download page on SourceForge. Upgrade instructions are available on our documentation site. Please discuss any issues specific to this release in this forum thread.

The Gallery team thanks Alex Ustinov and Hanno Boeck for reporting the security issues through the right channels and will reward them with a well deserved security bounty.

Gallery 1.5.9 addresses the following security vulnerabilities:

  • Arbitrary file disclosure through zip upload functionality - Users with permission to add items could retrieve any file on the server that is owned by the web server account. The problem is caused by incorrect handling of ZIP archives that contain symbolic links.
    The Gallery team would like to thank Alex Ustinov for bringing this issue to our attention.
  • Insecure cookies over HTTPS - When accessing Gallery over HTTPS, cookies were missing the "secure" flag, leaving the connection vulnerable to cookie sniffing attacks.
    The Gallery team would like to thank Hanno Boeck for bringing this issue to our attention.
schultmc's picture

Version 1.5.9-1 of the Debian gallery package was uploaded in the afternoon (EDT) on Tuesday, September 16, 2008. It will be available in Debian unstable after the archive push in the afternoon (EDT) on Wednesday, September 17, 2008.

--
Debian gallery package maintainer