Debian Security Advisory

DSA-1148-1 gallery -- several vulnerabilities

Date Reported:
09 Aug 2006
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 325285.
In Mitre's CVE dictionary: CVE-2005-2734, CVE-2006-0330, CVE-2006-4030.
More information:

Several remote vulnerabilities have been discovered in gallery, a web-based photo album. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2005-2734

    A cross-site scripting vulnerability allows injection of web script code through HTML or EXIF information.

  • CVE-2006-0330

    A cross-site scripting vulnerability in the user registration allows injection of web script code.

  • CVE-2006-4030

    Missing input sanitising in the stats modules allows information disclosure.

For the stable distribution (sarge) these problems have been fixed in version 1.5-1sarge2.

For the unstable distribution (sid) these problems have been fixed in version 1.5-2.

We recommend that you upgrade your gallery package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.