Random Image
Gallery 2.2.5 Security Fix Release
Submitted by valiant on Thu, 2008-06-12 00:55
Gallery 2.2.5 is now available for download. This release fixes critical security issues, no new features have been added. Users of all previous Gallery 2 versions are strongly encouraged to upgrade to version 2.2.5 as soon as possible! All issues addressed in this release have been discovered in internal security audits.
Since 2.2.5 is a security release, it shares the same installation requirements as 2.2.4. If you haven't upgraded to 2.2.x yet, please review the Gallery 2.2 release notes for highlights of changes and the requirements. Read on for more details and upgrade instructions.
Upgrading Instructions
Upgrading is quick and easy
- Users of Gallery 2.1 or earlier should review release notes for requirement changes and update all application files.
- Users of Gallery 2.2 or later (2.2.1, 2.2.2, 2.2.3 or 2.2.4) can use an update file to upgrade specific core files and then upgrade the affected modules via Downloadable Plugins.
- After the upgrade, users of the Password module should check if any non-album items are password protected directly in their gallery. If this is the case, the password protection should be removed from that item and it should be protected with normal view permissions or moved into an album that is password protected.
Regardless of your Gallery's version, review the upgrading instructions for complete details.
Security Vulnerabilities
Gallery 2.2.5 addresses the following security vulnerabilities:
- XSS through host and path component of request URL - The complete request URL is now properly sanitized (applying the same input filtering as for all other inputs). This severe vulnerability affects all modules.
- Information disclosure in album-select module - Fixed exposure of album titles through the album-select module when a guest would add a new album to a hidden album.
- Permission escalation through zip archive extraction - No longer creating sub-albums when adding items from a zip archive if the active user does not have the necessary permission to do so.
- Information disclosure through embed.php - embed.php is no longer susceptible to spoofing the remote address and thus no longer discloses the local filesystem path of the Gallery 2 installation folder.
- View permissions not enforced for password protected items - No longer offering the option to protect non-album items directly and only offering the feature for albums since full protection only applies to the items within the album.
I did an svn update using the 2_2 branch.
Got the following errors during the system check stage,
The upgrade still worked though.
thank you!
___________________________________________________
http://scaturan.buriguri.jp/blog/wpg2
Version 2.2.5-1 of the Debian gallery2 package was uploaded in the morning (EDT) of Thursday, June 12, 2008 and should be available in Debian unstable as of the archive push in the afternoon (EDT) on Thursday, June 12, 2008.
--
Debian gallery package maintainer
@lysp:
that usually happens when you've got a corrupt MANIFEST file. MANIFEST files are at gallery2/MANIFEST, gallery2/modules/*/MANIFEST and gallery2/themes/*/MANIFEST.
fix: replace them. if you're using SVN, delete the file and get it again with svn up.
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Is there any ChangeLog?
The above story mentions all changes in this release compared to the last previous release (2.2.5 vs. 2.2.4).
There's no detailed changelog for G2. for all details, you can use the Subversion history (e.g. via http://fisheye3.atlassian.com/browse/gallery/trunk/), for a high level history, there's the README.html which has highlights for all major releases.
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
This looks like something went wrong in the MANIFEST checking code (the code that verifies that your code is ok). It is probably from having an extra 3rd party module, though, since we've verified all of the stuff that we shipped with the package. Do you have any of those? Either way, if the upgrade completed successfully you're ok.
All the manifests were changed/corrupted:
What i think i may have done now i think of it is run the "update modules" from the admin system.
Would this cause issues? And does this need to be avoided by people running svn versions?
Oh. It looks like you might have run lib/tools/makeManifest.php (or the older perl version) which would update your local manifests. That would definitely do it. See how your ratings MANIFEST has a C marker? That means that it's in conflict which is probably why you're seeing the warnings you saw during the upgrade. This isn't fatal, but you should fix it. Easiest way to fix it is to run this command:
This assumes that you didn't intentionally mean to modify any of those files. Even if you did, it's ok to revert them.. you can always regenerate them if you want.
Thanks.. had already reverted them - although the longer way.
Not sure I remember running the manifest tool. If it's not linked in the admin system then I'm almost definitely sure I didn't run it.
It's all fixed now though. Maybe this might be another path to consider in the upgrade script? As other people may have run into the same issue.
Hello,
Ever since I upgraded the gallery 2.2.5 can I no longer see my photos big. I see the index, but I don't see the photos enlarged.
In addition I had a gellery protected with the password and now I will not be longer display the password field.
What happened? What can I do? Please help.
I'm not an expert ...
greetings saimon
@saimon:
Please open a new forum topic in the G2 support forum to discuss your case. And please include a link to your Gallery in that topic.
Thanks!
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
valiant -- I'm really not sure if this is helpful, but I had problems when switching to a new host due (I think) to php5 run as a cgi. I have this post with my solution. You tell me, does it make sense or did I get lucky?
http://gallery.menalto.com/node/79055#comment-278986
_______________________________________
Highly Dynamic Photography | Jason Corneveaux
I've never had any issues before with upgrading gallery2. This upgrade however, did much more harm than good. My site is basically unusable now, and worse this comes at a time when I really need it.