Gallery 2.2.6 Security Fix Release

Gallery 2.2.6 is now available for download. This release fixes critical security issues, no new features have been added. Users of all previous Gallery 2 versions are strongly encouraged to upgrade to version 2.2.6 as soon as possible! The Gallery team thanks Alex Ustinov and Hanno Boeck for reporting the security issues through the right channels and will reward them with a well deserved security bounty.

Since 2.2.6 is a security release, it shares the same installation requirements as 2.2.5. If you haven't upgraded to 2.2.x yet, please review the Gallery 2.2 release notes for highlights of changes and the requirements. Read on for more details and upgrade instructions.

Upgrading Instructions

Upgrading is quick and easy

  • Users of Gallery 2.1 or earlier should review release notes for requirement changes and update all application files.
  • Users of Gallery 2.2 or later (2.2.1, 2.2.2, 2.2.3, 2.2.4 or 2.2.5) can use an update file to upgrade specific core files and then upgrade the affected modules via Downloadable Plugins.

Regardless of your Gallery's version, review the upgrading instructions for complete details.

Security Vulnerabilities

Gallery 2.2.6 addresses the following security vulnerabilities:

  • Arbitrary file disclosure through archive upload module - Users with "add item" permission could retrieve any file on the server that is owned by the web server account. The problem is caused by incorrect handling of ZIP archives that contain symbolic links.
    The Gallery team would like to thank Alex Ustinov for bringing this issue to our attention.
  • Insecure cookies over HTTPS - When accessing Gallery over HTTPS, cookies were missing the "secure" flag, leaving the connection vulnerable to cookie sniffing attacks.
    The Gallery team would like to thank Hanno Boeck for bringing this issue to our attention.
  • XSS through malicious Flash files - Flash animations that are embedded in Gallery are no longer allowed to interact with the embedding page and are no longer allowed to open network connections.
    While this protects visitors of your Gallery from potentially malicious Flash animations, the Gallery team would like to use this opportunity to remind you that it is generally highly recommended to only allow trusted users to add any files to your Gallery.
scaturan's picture

as always, thank you for addressing the said issues in a timely manner!

grebulon's picture

What about 2.3 RC1? Does it have this issue as well? Is there a security fix for it too?

ckdake's picture

grebulon: 2.3 RC2 should be out shortly!

____ - If you found my help useful, please consider donating to Gallery.

All the Upgrades say from V.... to V2.5 what about ubdate 2.2.5 > 2.2.6

same problem! where is the upgrade from 2.5 to 2.6?

There is no version 2.5 or 2.6.
What you might mean is version 2.2.5. And of course can you simply update from it as mentioned in the text on the top.

The 2.2.5 to 2.2.6 upgrade is mislabelled as (the second) 2.2.4 to 2.2.6

The link is


@mexicobob, ASNet0007, rakso:
thanks for reporting this typo. it has been fixed. please check the download / upgrade page again.

schultmc's picture

Version 2.2.6-1 of the Debian gallery2 package was uploaded in the afternoon (EDT) on Thursday, September 18, 2008. It will be available in Debian unstable after the archive push in the afternoon (EDT) on Friday, September 19, 2008.

Debian gallery package maintainer

"Version 2.2.6-1", lol, that's so pessimistic. preparing for the case that we have to repackage the thing, don't you? :)

schultmc's picture


heh, the -n is the Debian package version. A higher value for n means the debian package was updated for whatever reason. If Gallery had to repackage something, the version before the -n would change :)

Debian gallery package maintainer

Upgrade installation is very easy and the tool works very well. It does everything I need/expect without any issues! Thanks!
Best regards, Jacob

Very good website. I liked it very much.

just upgraded. It was hassle free upgradation without any issues. Just wondering when is new version going to be out?