[gentoo-announce] [ GLSA 200802-04 ] Gallery: Multiple vulnerabilities - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200802-04 ] Gallery: Multiple vulnerabilities
Date:	Mon, 11 Feb 2008 23:07:21
Message-Id:	`47B0D554.10204@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200802-04

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: High

11

     Title: Gallery: Multiple vulnerabilities

12

      Date: February 11, 2008

13

      Bugs: #203217

14

        ID: 200802-04

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Multiple vulnerabilities were discovered in Gallery.

22

23

Background

24

==========

25

26

Gallery is a web-based application for creating and viewing photo

27

albums.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package           /  Vulnerable  /                     Unaffected

34

    -------------------------------------------------------------------

35

  1  www-apps/gallery       < 2.2.4                           >= 2.2.4

36

                                                                 < 2.0

37

38

Description

39

===========

40

41

The Gallery developement team reported and fixed critical

42

vulnerabilities during an internal audit (CVE-2007-6685, CVE-2007-6686,

43

CVE-2007-6687, CVE-2007-6688, CVE-2007-6689, CVE-2007-6690,

44

CVE-2007-6691, CVE-2007-6692, CVE-2007-6693).

45

46

Impact

47

======

48

49

A remote attacker could exploit these vulnerabilities to execute

50

arbitrary code, conduct Cross-Site Scripting and Cross-Site Request

51

Forgery attacks, or disclose sensitive informations.

52

53

Workaround

54

==========

55

56

There is no known workaround at this time.

57

58

Resolution

59

==========

60

61

All Gallery users should upgrade to the latest version:

62

63

    # emerge --sync

64

    # emerge --ask --oneshot --verbose ">=www-apps/gallery-2.2.4"

65

66

References

67

==========

68

69

  [ 1 ] CVE-2007-6685

70

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6685

71

  [ 2 ] CVE-2007-6686

72

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6686

73

  [ 3 ] CVE-2007-6687

74

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6687

75

  [ 4 ] CVE-2007-6688

76

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6688

77

  [ 5 ] CVE-2007-6689

78

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6689

79

  [ 6 ] CVE-2007-6690

80

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6690

81

  [ 7 ] CVE-2007-6691

82

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6691

83

  [ 8 ] CVE-2007-6692

84

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6692

85

  [ 9 ] CVE-2007-6693

86

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6693

87

88

Availability

89

============

90

91

This GLSA and any updates to it are available for viewing at

92

the Gentoo Security Website:

93

94

  http://security.gentoo.org/glsa/glsa-200802-04.xml

95

96

Concerns?

97

=========

98

99

Security is a primary focus of Gentoo Linux and ensuring the

100

confidentiality and security of our users machines is of utmost

101

importance to us. Any security concerns should be addressed to

102

security@g.o or alternatively, you may file a bug at

103

http://bugs.gentoo.org.

104

105

License

106

=======

107

108

Copyright 2008 Gentoo Foundation, Inc; referenced text

109

belongs to its owner(s).

110

111

The contents of this document are licensed under the

112

Creative Commons - Attribution / Share Alike license.

113

114

http://creativecommons.org/licenses/by-sa/2.5

115

-----BEGIN PGP SIGNATURE-----

116

Version: GnuPG v2.0.7 (GNU/Linux)

117

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

118

119

iD8DBQFHsNVUuhJ+ozIKI5gRAlQUAJ9lFeYFWn1P5j9gCoQZeMPDd2Qv7gCeMHGd

120

9O6IeInam6ViQoXcHvw1twU=

121

=Gzzi

122

-----END PGP SIGNATURE-----

123

--

124

gentoo-announce@l.g.o mailing list

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200802-04
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: High
11	Title: Gallery: Multiple vulnerabilities
12	Date: February 11, 2008
13	Bugs: #203217
14	ID: 200802-04
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Multiple vulnerabilities were discovered in Gallery.
22
23	Background
24	==========
25
26	Gallery is a web-based application for creating and viewing photo
27	albums.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 www-apps/gallery < 2.2.4 >= 2.2.4
36	< 2.0
37
38	Description
39	===========
40
41	The Gallery developement team reported and fixed critical
42	vulnerabilities during an internal audit (CVE-2007-6685, CVE-2007-6686,
43	CVE-2007-6687, CVE-2007-6688, CVE-2007-6689, CVE-2007-6690,
44	CVE-2007-6691, CVE-2007-6692, CVE-2007-6693).
45
46	Impact
47	======
48
49	A remote attacker could exploit these vulnerabilities to execute
50	arbitrary code, conduct Cross-Site Scripting and Cross-Site Request
51	Forgery attacks, or disclose sensitive informations.
52
53	Workaround
54	==========
55
56	There is no known workaround at this time.
57
58	Resolution
59	==========
60
61	All Gallery users should upgrade to the latest version:
62
63	# emerge --sync
64	# emerge --ask --oneshot --verbose ">=www-apps/gallery-2.2.4"
65
66	References
67	==========
68
69	[ 1 ] CVE-2007-6685
70	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6685
71	[ 2 ] CVE-2007-6686
72	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6686
73	[ 3 ] CVE-2007-6687
74	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6687
75	[ 4 ] CVE-2007-6688
76	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6688
77	[ 5 ] CVE-2007-6689
78	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6689
79	[ 6 ] CVE-2007-6690
80	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6690
81	[ 7 ] CVE-2007-6691
82	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6691
83	[ 8 ] CVE-2007-6692
84	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6692
85	[ 9 ] CVE-2007-6693
86	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6693
87
88	Availability
89	============
90
91	This GLSA and any updates to it are available for viewing at
92	the Gentoo Security Website:
93
94	http://security.gentoo.org/glsa/glsa-200802-04.xml
95
96	Concerns?
97	=========
98
99	Security is a primary focus of Gentoo Linux and ensuring the
100	confidentiality and security of our users machines is of utmost
101	importance to us. Any security concerns should be addressed to
102	security@g.o or alternatively, you may file a bug at
103	http://bugs.gentoo.org.
104
105	License
106	=======
107
108	Copyright 2008 Gentoo Foundation, Inc; referenced text
109	belongs to its owner(s).
110
111	The contents of this document are licensed under the
112	Creative Commons - Attribution / Share Alike license.
113
114	http://creativecommons.org/licenses/by-sa/2.5
115	-----BEGIN PGP SIGNATURE-----
116	Version: GnuPG v2.0.7 (GNU/Linux)
117	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
118
119	iD8DBQFHsNVUuhJ+ozIKI5gRAlQUAJ9lFeYFWn1P5j9gCoQZeMPDd2Qv7gCeMHGd
120	9O6IeInam6ViQoXcHvw1twU=
121	=Gzzi
122	-----END PGP SIGNATURE-----
123	--
124	gentoo-announce@l.g.o mailing list

Gentoo Archives: gentoo-announce