Gentoo Archives: gentoo-announce

From: aliz@gentoo.org (Daniel Ahlberg)
To: gentoo-announce@g.o
Subject: [gentoo-announce] GLSA: gallery (200309-06)
Date: Tue, 02 Sep 2003 13:30:01
Message-Id: 20030902133648.8774B9FBAF@noc.internal.fairytale.se
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200309-06
6 - - - ---------------------------------------------------------------------
7
8           PACKAGE : gallery
9           SUMMARY : cross site scripting
10              DATE : 2003-09-02 13:36 UTC
11           EXPLOIT : remote
12 VERSIONS AFFECTED : <gallery-1.3.4_p1
13     FIXED VERSION : >=gallery-1.3.4_p1
14               CVE : CAN-2003-0614
15
16 - - - ---------------------------------------------------------------------
17
18 quote from cve:
19
20 "Cross-site scripting (XSS) vulnerability in search.php of Gallery 1.1
21 through 1.3.4 allows remote attackers to insert arbitrary web script via
22 the searchstring parameter."
23
24 SOLUTION
25
26 It is recommended that all Gentoo Linux users who are running
27 app-misc/gallery upgrade to gallery-1.3.4_p1 as follows:
28
29 emerge sync
30 emerge gallery
31 emerge clean
32
33 - - - ---------------------------------------------------------------------
34 aliz@g.o - GnuPG key is available at http://dev.gentoo.org/~aliz
35 - - - ---------------------------------------------------------------------
36 -----BEGIN PGP SIGNATURE-----
37 Version: GnuPG v1.2.3 (GNU/Linux)
38
39 iD8DBQE/VJzwfT7nyhUpoZMRAgr+AKDEyMBZEx7Pwk+WclB0+exQM/MUNQCgozCt
40 oOd3lnNslrrVVia/u4YJMzo=
41 =jaBo
42 -----END PGP SIGNATURE-----