=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN361
_____________________________________________________________________

DATE                      : 19/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Gallery versions 2.x prior
                                   to 2.2.6 and 1.x prior to 1.5.9.

======================================================================
http://gallery.menalto.com/gallery_2.2.6_released
http://gallery.menalto.com/gallery_1.5.9_released
______________________________________________________________________

Gallery 2.2.6 Security Fix Release
Submitted by valiant on Thu, 2008-09-18 07:25

Gallery 2.2.6 is now available for download. This release fixes critical
security issues, no new features have been added. Users of all previous
Gallery 2 versions are strongly encouraged to upgrade to version 2.2.6
as soon as possible! The Gallery team thanks Alex Ustinov and Hanno
Boeck for reporting the security issues through the right channels and
will reward them with a well deserved security bounty

Since 2.2.6 is a security release, it shares the same installation
requirements as 2.2.5. If you haven't upgraded to 2.2.x yet, please
review the Gallery 2.2 release notes for highlights of changes and the
requirements. Read on for more details and upgrade instructions.


Upgrading Instructions

Upgrading is quick and easy

     * Users of Gallery 2.1 or earlier should review release notes for
requirement changes and update all application files.
     * Users of Gallery 2.2 or later (2.2.1, 2.2.2, 2.2.3, 2.2.4 or
2.2.5) can use an update file to upgrade specific core files and then
upgrade the affected modules via Downloadable Plugins.

Regardless of your Gallery's version, review the upgrading instructions
for complete details.


Security Vulnerabilities

Gallery 2.2.6 addresses the following security vulnerabilities:

     * Arbitrary file disclosure through archive upload module - Users
with "add item" permission could retrieve any file on the server that is
owned by the web server account. The problem is caused by incorrect
handling of ZIP archives that contain symbolic links.
       The Gallery team would like to thank Alex Ustinov for bringing
this issue to our attention.
     * Insecure cookies over HTTPS - When accessing Gallery over HTTPS,
cookies were missing the "secure" flag, leaving the connection
vulnerable to cookie sniffing attacks.
       The Gallery team would like to thank Hanno Boeck for bringing this
issue to our attention.
     * XSS through malicious Flash files - Flash animations that are
embedded in Gallery are no longer allowed to interact with the embedding
page and are no longer allowed to open network connections.
       While this protects visitors of your Gallery from potentially
malicious Flash animations, the Gallery team would like to use this
opportunity to remind you that it is generally highly recommended to
only allow trusted users to add any files to your Gallery.



______________________________________________________________________

Gallery 1.5.9 Released
Submitted by ckdake on Tue, 2008-09-16 14:48

Gallery 1.5.9 is now available for download. This release fixes several
security issues.

This version also resolves a handful of bugs found in Gallery 1.5.8. We
strongly recommend that all users of Gallery 1.5.8 and earlier upgrade
to this release to protect your Gallery installation. You can download
Gallery 1.5.9 from the Gallery 1 download page on SourceForge. Upgrade
instructions are available on our documentation site. Please discuss any
  issues specific to this release in this forum thread.

The Gallery team thanks Alex Ustinov and Hanno Boeck for reporting the
security issues through the right channels and will reward them with a
well deserved security bounty.

Gallery 1.5.9 addresses the following security vulnerabilities:

     * Arbitrary file disclosure through zip upload functionality - Users
with permission to add items could retrieve any file on the server that
is owned by the web server account. The problem is caused by incorrect
handling of ZIP archives that contain symbolic links.
       The Gallery team would like to thank Alex Ustinov for bringing
this issue to our attention.
     * Insecure cookies over HTTPS - When accessing Gallery over HTTPS,
cookies were missing the "secure" flag, leaving the connection
vulnerable to cookie sniffing attacks.
       The Gallery team would like to thank Hanno Boeck for bringing this
issue to our attention.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================