갤러리 2.2.3 보안문제 수정 릴리즈 Gallery 2.2.3 Security Fix Release

2007/10/07 11:01

서비 Photo

사용자 삽입 이미지
 지난 8월 29일 갤러리 2.2.3 이 릴리즈 되었습니다.
새로운 기능추가는 없지만 reupload 와 webdav 모듈에서의
심각한 보안문제를 해결 했다고 합니다.

업그래이드버전은 여기에서 다운로드할 수 있습니다.




아래는 2.2.3 릴리즈에대한 원문입니다.

Gallery 2.2.3 is now available for download. This release adds no new features. It fixes critical application security bugs in the WebDAV and Reupload modules. If the WebDAV or Reupload modules are active in your Gallery we strongly recommend that you either disable them, upgrade them via Downloadable Plugins or perform a complete upgrade to version 2.2.3. Thanks go to Merrick Manalastas and Nicklous Roberts for reporting the issues to the Gallery Security team!

Gallery 2.2.3 is a small security upgrade from 2.2.2 and has the same requirements as 2.2.2. If you haven't upgraded to 2.2.x yet, please refer to the release announcement of Gallery 2.2 for highlights of changes and the requirements of the Gallery 2.2 release.

Read on for more details and upgrade instructions...

Is your Gallery installation affected? You can check whether the WebDAV or Reupload module is active on the Site Admin » Plugins page of your Gallery. If these module are not active, you can safely skip Gallery 2.2.3.

Upgrading instructions:
  • Users of Gallery 2.2 or later versions can upgrade the WebDAV and Reupload modules via Downloadable Plugins from the official plugin repository. This is certainly the fastest and the easiest solution.
  • Upgrading is quick and easy, but if you're upgrading from 2.1 or earlier there are a few things you should know first so be sure to scan the upgrading instructions. Upgrading from Gallery 2.2, 2.2.1 or 2.2.2 is even easier since you don't need to replace all your gallery2/ files, but changed files in the specific modules only.
Security vulnerabilities - Gallery 2.2.3 addresses the following security vulnerabilities:
  • Unauthorized renaming of items possible with WebDAV (reported by Merrick Manalastas)
  • Unauthorized modification and retrieval of item properties possible with WebDAV
  • Unauthorized locking and replacing of items possible with WebDAV
  • Unauthorized editing of data file possible via linked items with Reupload and WebDAV (reported by Nicklous Roberts)

Bounties - As part of Gallery's Bounty Program, Merrick Manalastas will receive a bounty of $500 and Nicklous Roberts a bounty of $200 for reporting the security vulnerabilities to the Gallery Security team. Please remember that to receive the full bounty you should report security issues to security@gallery.menalto.com and not make them public at all (not even in the bug tracker) before we had a chance to fix the issue.

2007/10/07 11:01 2007/10/07 11:01
Trackback Address:이 글에는 트랙백을 보낼 수 없습니다