Debian Security Advisory
DSA-1148-1 gallery -- several vulnerabilities
- Date Reported:
- 09 Aug 2006
- Affected Packages:
- gallery
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 325285.
In Mitre's CVE dictionary: CVE-2005-2734, CVE-2006-0330, CVE-2006-4030. - More information:
-
Several remote vulnerabilities have been discovered in gallery, a web-based photo album. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2005-2734
A cross-site scripting vulnerability allows injection of web script code through HTML or EXIF information.
- CVE-2006-0330
A cross-site scripting vulnerability in the user registration allows injection of web script code.
- CVE-2006-4030
Missing input sanitising in the stats modules allows information disclosure.
For the stable distribution (sarge) these problems have been fixed in version 1.5-1sarge2.
For the unstable distribution (sid) these problems have been fixed in version 1.5-2.
We recommend that you upgrade your gallery package.
- CVE-2005-2734
- Fixed in:
-
Debian GNU/Linux 3.1 (sarge)
- Source:
- http://security.debian.org/pool/updates/main/g/gallery/gallery_1.5-1sarge2.dsc
- http://security.debian.org/pool/updates/main/g/gallery/gallery_1.5-1sarge2.diff.gz
- http://security.debian.org/pool/updates/main/g/gallery/gallery_1.5.orig.tar.gz
- http://security.debian.org/pool/updates/main/g/gallery/gallery_1.5-1sarge2.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/g/gallery/gallery_1.5-1sarge2_all.deb
MD5 checksums of the listed files are available in the original advisory.