Random Image
Gallery 1.5-pl1 Security Release and Gallery 1.5.1-RC3 Preview Release
Submitted by ckdake on Mon, 2005-08-29 15:28
Gallery 1.5-pl1 is now available for download. It fixes several major security issues and it is strongly recommended that all users of 1.5 upgrade to this release immediately.
Gallery 1.5.1-RC3 is also now available for download. This release fixes several small issues discovered in the second Release Candidate including the security problems found in 1.5, and should be the final release candidate before 1.5.1.
Thanks to Cedric Cochin of http://cedri.cc/ and ilia on irc.freenode.net for notifying us of some of the security problems.
Read more for the details!
Download 1.5-pl1 or 1.5.1-RC3 from the Gallery Download Page. Visit the 1.5.1-RC3 Discussion Thread to submit bug reports or see a known issues list.
Note: This is a *pre-release* version, and you should be sure to BACK UP YOUR GALLERY *before* installing and upgrading your current Gallery. Read on for information on how to back up critical data...We have provided a small PHP script with this version to assist you in making a backup. When you download and decompress this release, the script will be located in:
gallery/setup/backup_albums.php
To run this script, put your Gallery into configuration mode and copy backup_albums.php out of its location in the setup directory and into your existing main Gallery directory. Run this script from your browser. It will package the important album data and save a backup to your computer, in one of two formats: .tar.gz (useful on Unix/Linux systems) or .zip (useful on Windows systems).
The script gives you the option of backing up your entire albums ("All files") directory or just the Gallery database files ("Data files only"). While you should have a backup copy of all your photos, for most upgrades, it is sufficient to just back up the data files only. Note that backing up all the files could produce a *huge* file, since all of your photos will be included.
Finally, verify the contents of the downloaded backup file to make sure the files were indeed saved. Once you have the data files backed up, you can confidently proceed with reconfiguring your Gallery and updating your albums. Make sure you remove the copy of backup_albums.php from the Gallery directory, so visitors can't make a copy of your entire Gallery!
New Features in 1.5.1
Gallery 1.5.1-RC3 is also now available for download. This release fixes several small issues discovered in the second Release Candidate including the security problems found in 1.5, and should be the final release candidate before 1.5.1.
Thanks to Cedric Cochin of http://cedri.cc/ and ilia on irc.freenode.net for notifying us of some of the security problems.
Read more for the details!
Download 1.5-pl1 or 1.5.1-RC3 from the Gallery Download Page. Visit the 1.5.1-RC3 Discussion Thread to submit bug reports or see a known issues list.
Note: This is a *pre-release* version, and you should be sure to BACK UP YOUR GALLERY *before* installing and upgrading your current Gallery. Read on for information on how to back up critical data...We have provided a small PHP script with this version to assist you in making a backup. When you download and decompress this release, the script will be located in:
gallery/setup/backup_albums.php
To run this script, put your Gallery into configuration mode and copy backup_albums.php out of its location in the setup directory and into your existing main Gallery directory. Run this script from your browser. It will package the important album data and save a backup to your computer, in one of two formats: .tar.gz (useful on Unix/Linux systems) or .zip (useful on Windows systems).
The script gives you the option of backing up your entire albums ("All files") directory or just the Gallery database files ("Data files only"). While you should have a backup copy of all your photos, for most upgrades, it is sufficient to just back up the data files only. Note that backing up all the files could produce a *huge* file, since all of your photos will be included.
Finally, verify the contents of the downloaded backup file to make sure the files were indeed saved. Once you have the data files backed up, you can confidently proceed with reconfiguring your Gallery and updating your albums. Make sure you remove the copy of backup_albums.php from the Gallery directory, so visitors can't make a copy of your entire Gallery!
New Features in 1.5.1
- PHP 5 and PHP 4.4 fixes
- eCard feature
- Option to prevent some users from changing their password
- Colorpicker for all color settings
- Microthumbs for navigation
- Easier way to reorder items
- Small security fixes with some additional input validation
- Icons for item and album actions
- Ecard and stamp previews work properly
- Embedded URLs now work properly for mails and comment deletion
- Updates for new versions of Postnuke
- Proper windows path seperators
- Sending emails is more reliable
- Other small bug fixes
- Several embedding issues
- Two security problems
- Other small bug fixes
Version 1.5-2 of the Debian gallery package (which addresses these issues) was uploaded to Debian unstable on Saturday, August 27, 2005 and was made available as of the archive run in the afternoon (EST) on Saturday, August 27. These fixes should propogate to Debian Testing (Etch) in the next day or two. Fixed packages for Debian Stable (Sarge) and Oldstable (Woody) are being prepared by the Debian Security Team and should be available shortly.
Isn't there a Security Announcement mailing list? Could these security related patches/fixed please be announced on the gallery-announce list as well?
Sorry for the delay in the announcement to -announce, they usually make it out the same time as the release but it slipped through the cracks this go around.
Album upgrade failed until I added this to classes/Albums.php on line 481.<br />
<br />
if (isset($this->fields['print_photos']['ezprints'])) {<br />
unset($this->fields['print_photos']['ezprints']);<br />
$changed = 1;<br />
}
Yet again stylesheet changes have caused problems with the upgrade. I wish things would settle down in that area so I wouldn't have to keep digging through code to figure out what changed each time...
I found the solution. I'm not sure why, but the install treats screen.css.default as the priority CSS file even when Gallery is not being embedded in another product.
When the new language packs for this release will be avaiable for download? I think I may need to update mine! :D
Regards from Brazil
Daniel