Random Image
![[G2]](/themes/gmc/images/badge_g2_16.png){kind=icon}
Improve performanceGallery 2.0.1 Released
Gallery 2.0.1 is now available for download. This release adds no new features. It fixes a security flaw that could allow remote visitors to view sensitive files on your webserver. All releases of Gallery 2, from Alpha 1 onwards are vulnerable to this issue and we strongly recommend that you upgrade to version 2.0.1 as soon as possible. Please follow our upgrading instructions and download and install the latest release.
Thanks to Michael Dipper for identifying this security issue, bringing it to our attention and giving us time to respond appropriately!
thanks for the heads up and quick response!
Is there a changelog of other fixes or changes...any sort of changelog whatsoever?
quest
it's just a patch release. no features were added.
and no, there's no changelog.
Version 2.0.1-1 of the Debian packages for gallery2 were uploaded to the Debian archive in the afternoon (EST) of Friday, October 14, 2005 and should be available in Debian unstable after the archive run in the afternoon (EST) of Friday, October 14, 2005.
--
Debian gallery package maintainer
Was anyone able to reproduce this exploit on Windows running IIS6?
works great!
the interactive installation that checks to make sure everything's ok before proceeding is simply brilliant...
cheers!
- kso
jpeadro, there is nothing platform specific about this security bug.. all Gallery 2 installs should be patched/upgraded (good question, thanks).
I understand this exploit is not platform specific. Before I apply patches if PoC is available I like to test it out. Myself as well as a few other Gallery friends who have installs have tested the exploit and have not been able to reproduce the desired outcome on. In addition, I was wondering how the exploit is possible if your webserver process is running under limitied credentials, i.e. Windows being iusr_xxx. As long as that account doesn't have permissions to any other directories outside your webroot the attack should not be able to take place as that account would not have the necessary permissions to read other files and or folders.
Thoughts/rants
As far as I can tell, this is true. I was never able to reproduce this on my server either, but it's better to be safe than sorry no matter what.
h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org
This is an unrelated comment/question but pertinent. I just finished developing/deploying a new gallery2 page and everything works nicely. Since its managed by the users, I don't check up on things that often and it just so happened that I checked out the gallery home page this week and noticed this security upgrade. I guess my question is if there is some sort of simple announcement mailing list that I can subscribe to so that I'm informed of these updates? I noticed i can subscribe to the forums, but I don't want to stay deeply involved with the discussions or have it filling up my mail box. Any suggestions?
The Gallery-Announce list has this purpose, check http://codex.gallery2.org/index.php/Mailing_Lists
h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org
Thanks guys for creating a more seure gallery....
Hey I was surprised that over at MSN we are #1 for searches on "basement remodels" and #2 for
"bathroom remodels". These searches show Gallery2 photos from our projects.
Thanks guys..
http://www.homtechsol.com
HTS
ack! i'm still stuck on alpha 1. Will this patch work for that as well!?
Definately not,FOBioPatel.
h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org
I can not create the thumbnail, can any one tell me what is going on??? I have correct path for the ImageMagic, but everytime I upload files, it just return "CAN NOT CREATE THUMBNAIL", which mean I can not unload any files to my sever, please help!!!!
please report your problems in the forums. thanks.