Gallery 2.2.3 Security Fix Release

Gallery 2.2.3 is now available for download. This release adds no new features. It fixes critical application security bugs in the WebDAV and Reupload modules. If the WebDAV or Reupload modules are active in your Gallery we strongly recommend that you either disable them, upgrade them via Downloadable Plugins or perform a complete upgrade to version 2.2.3. Thanks go to Merrick Manalastas and Nicklous Roberts for reporting the issues to the Gallery Security team!

Gallery 2.2.3 is a small security upgrade from 2.2.2 and has the same requirements as 2.2.2. If you haven't upgraded to 2.2.x yet, please refer to the release announcement of Gallery 2.2 for highlights of changes and the requirements of the Gallery 2.2 release.

Read on for more details and upgrade instructions...

Is your Gallery installation affected? You can check whether the WebDAV or Reupload module is active on the Site Admin » Plugins page of your Gallery. If these module are not active, you can safely skip Gallery 2.2.3.

Upgrading instructions:
  • Users of Gallery 2.2 or later versions can upgrade the WebDAV and Reupload modules via Downloadable Plugins from the official plugin repository. This is certainly the fastest and the easiest solution.
  • Upgrading is quick and easy, but if you're upgrading from 2.1 or earlier there are a few things you should know first so be sure to scan the upgrading instructions. Upgrading from Gallery 2.2, 2.2.1 or 2.2.2 is even easier since you don't need to replace all your gallery2/ files, but changed files in the specific modules only.
Security vulnerabilities - Gallery 2.2.3 addresses the following security vulnerabilities:
  • Unauthorized renaming of items possible with WebDAV (reported by Merrick Manalastas)
  • Unauthorized modification and retrieval of item properties possible with WebDAV
  • Unauthorized locking and replacing of items possible with WebDAV
  • Unauthorized editing of data file possible via linked items with Reupload and WebDAV (reported by Nicklous Roberts)

Bounties - As part of Gallery's Bounty Program, Merrick Manalastas will receive a bounty of $500 and Nicklous Roberts a bounty of $200 for reporting the security vulnerabilities to the Gallery Security team. Please remember that to receive the full bounty you should report security issues to security@gallery.menalto.com and not make them public at all (not even in the bug tracker) before we had a chance to fix the issue.

Update 2007/11/09: - An annoying bug sneaked into Gallery 2.2.3's WebDAV module. Please upgrade your WebDAV module via Site Admin » Plugins » Get More Plugins to get a fix for this issue.

schultmc's picture

Version 2.2.3-1 of the Debian gallery2 package was uploaded in the afternoon (EDT) of Thursday, August 30, 2007 and should be available in Debian unstable as of the archive run in the afternoon (EDT) of Friday, August 31, 2007.

--
Debian gallery package maintainer

An annoying bug sneaked into Gallery 2.2.3's WebDAV module. Please upgrade your WebDAV module via Site Admin » Plugins » Get More Plugins to get a fix for this issue. Sorry for the inconvenience.

hello to all
I am very impressed with your program the Gallery ,
but i try to find some demo link and i dont get any thaign just only pictures, so how i can get demo URL is there a link for web site has been installed for this program.
relly i hope that , i need it to i can install it in my site :
Bnateeen

With best Regards
AL

floridave's picture

Demo:
http://codex.gallery2.org/Evaluate_Gallery

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

noclegi's picture

Thank you for new Gallery 2.2.3. This is very useful for user my website http://www.nocuj.com.pl I insert link to new version Gallery on my web. Greetings

It was a amazing experience to visit this website and read the articles and contents.