![msnie
[go]](/gallery/samples/sample_special/abi.jpg.html)
![[G2]](/themes/gmc/images/badge_g2_16.png){kind=icon}
Improve performanceGallery 1.4.4-pl4 Security Release
EDIT: This release is a replacement for 1.4.4-pl3 which had an issue discovered shortly after release.
Jim Paris discovered a few security problems in Gallery which have been addressed in 1.4.4-pl4. The primary problem is a cross site scripting vulnerability which allows code to be inserted into a Gallery by using specially formed URLs. This code then appears to be part of the Gallery.
No risk is posed to the webserver-itself or any non-Gallery data, but a Gallery install could be compromised using appropriate code.
All Gallery users are very strongly urged to upgrade to 1.4.4-pl4 immediately, which fixes this serious problem and will secure your system.
Gallery 1.4.4-pl4 can be downloaded from the Gallery Download Page.
Jim Paris discovered a few security problems in Gallery which have been addressed in 1.4.4-pl4. The primary problem is a cross site scripting vulnerability which allows code to be inserted into a Gallery by using specially formed URLs. This code then appears to be part of the Gallery.
No risk is posed to the webserver-itself or any non-Gallery data, but a Gallery install could be compromised using appropriate code.
All Gallery users are very strongly urged to upgrade to 1.4.4-pl4 immediately, which fixes this serious problem and will secure your system.
Gallery 1.4.4-pl4 can be downloaded from the Gallery Download Page.
Have a list of changes? So we can manually update if desired? thx
How about a patch file? Since this replaces 1.4.4-pl3, a patch from 1.4.4-pl2 to 1.4.4-pl4 would be ideal.
Version 1.4.4-pl4-1 of the Debian gallery package was uploaded on Wednesday, November 3, 2004 and should be available in Debian unstable after the archive run completes in the afternoon (EST) of Thursday, November 4, 2004.<br />
<br />
I forgot to include a Debian related updated (including the Japanese translation of the Debconf templates) in the 1.4.4-pl4-1 package and shortly thereafter prepped and uploaded 1.4.4-pl4-2
I created one (since it doesn't appear that there is one in the downloads section, yet anyways)
<p><a href="http://g3cko.info/gallery2-4.patch">http://g3cko.info/gallery2-4.patch</a>
Thanks to all for the seamless and issue free security upgrade. Can't wait for G2 to come out. I have been a devotee to Gallery for some time and it just gets better and better. Certainly one of the best open-source php efforts in my book.<br />
<br />
keep up the great work. wish i could help, but i'm not a programmer. . . just a power user of sorts.
Upgrade went fine. No problem.
This patch is great
<br />
<br />
<br />
I have just patched 11 installs of gallery in 10 mins
<br />
Thank you very much<br />
<br />
Dan
There were a few places where the patch failed, such as in a comments section for the <br />
$Id: view_photo.php,v<br />
and some lines in the FAQ that had <br />
<a name="..."><br />
tags, but all the important stuff just patched right in. Beautiful!
errr... how does one install the patch? I managed to get gallery working only because I found a step-bystep tutorial for dummies...
i made the diff from the 1.4.4-pl2 release that i downloaded the same day as i downloaded 1.4.4-pl4, so perhaps its a newer version that was originally released.
this patch was made using diff -r -u gallery-1.4.4-pl2 gallery-1.4.4-pl4<br />
so the easiest way to apply it would be to be in your gallery directory, and run patch -p1 < /path/to/gallery2-4.patch
I also have a heavily modified gallery? A list of changes would <b>_really_</b> help!
I'm running v1.4.1-pl1 still. Would this patch help me? Do I need to upgrade to 1.4.4 first?
I'm using the gallery 1.4.x for quite a long time but the latest version still has a problem on the action of "move album" or "move photo" for some albums inside the gallery. The pop up window right after clicking the "move album" or "move photo" shows only the destination album selection but the "move" action button is missing. The list of destination albums is not completed and I can find only the first tens of the gallery albums. It's very annoying that I have to recreate a new album and do the upload action again when trying to move the photo or album to a different location.<br />
<br />
My gallery is now having 13,xxx photos and hundred of albums or sub-album uploaded. I'm not sure if the bug only effects some albums on large gallery. <br />
<br />
<br />
Hello,<br />
Did you find any solution about this problem ?<br />
I have the same one but my gallery is really smaller than yours ! (< 3,000)<br />
<br />
Thanks in advance,<br />
Mc Clain
I've noticed with my install of this version, that in FireFox 1.0 PR I cannot view the Admin options area. Is there something I am missing with the install, or a plugin for FireFox ?