===================================================================== CERT-Renater Note d'Information No. 2008/VULN553 _____________________________________________________________________ DATE : 28/11/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Gallery versions prior to 1.5.10 and 1.6-RC3. ====================================================================== http://gallery.menalto.com/last_official_G1_releases ______________________________________________________________________ Gallery 1.5.10 and 1.6-RC3 Released - Last G1 Releases from us! Submitted by ckdake on Fri, 2008-11-21 21:35 Gallery 1.5.10 and Gallery 1.6-RC3 are now available for download. These releases fix one security issue and a handful of other small issues. These releases are also the last official releases of Gallery 1 from the Gallery project. We strongly recommend that all users of Gallery 1.5.9, 1.6-RC2, and earlier upgrade to this release to protect your Gallery installation. You can download them from the Gallery 1 download page on SourceForge. Upgrade instructions are available on our documentation site. Read on for some more details about what is happening to Gallery 1. These releases address a security issue that allowed malicious users to gain administrative access if "register globals" is enabled in web server configuration. We thank John Hisdock for responsibly reporting this to us and are happy to award him with a security bounty. Gallery 1 has been good to us! From Bharat's first public code release in July 2000, to Gallery 1.0 on June 4th 2001, to the multi-year behemoth of Gallery 2 and on to the current Gallery 3 product, over 2 million of you have downloaded Gallery 1 and loved it. Gallery 1 was the SourceForge project of the month in 2003, and even now, more than 3 years after the Gallery 2.0 release, several thousand of you still download Gallery 1 every month. We thank you for this ongoing support! As much as we'd like to keep giving you Gallery 1 enhancements forever, it is a very old product and we've already completely stopped work on Gallery 2 to give us more time to work on Gallery 3. Gallery 3 is going to be great and we're sure that you'll love it as it is strongly influenced by all the lessons we learned working on Gallery 1 and Gallery 2, but for those of you that really don't want to change... Those of you who have already migrated to the Gallery 1.6 release candidates will be pleased to hear that Jens Tkotz (long time and last remaining Gallery 1 developer) has forked Gallery 1 into Jallery where he will continue development on what would have been Gallery 1.6. He does this with the team's blessing and our best wishes (but secretly we're also hoping that he will stick around here to work on Gallery 3 too!) No future development will be done on Gallery 1 as part of this project, and the only future Gallery 1 code from us will be critical security fixes (and we don't expect any of these!) As for support services like the forums here: as soon as Jens' versions of these are available on jallery.com, we will be disabling new posts related to G1 here. As always, we thank you for your continued support! ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================