Accepted: gallery2, gallery2, gallery2_2.2.4-1ubuntu0.1_i386_translations.tar.gz 2.2.4-1ubuntu0.1 (source, i386, raw-translations)

Ubuntu Installer archive at
Tue Sep 9 14:56:27 BST 2008

 OK: gallery2_2.2.4.orig.tar.gz
 OK: gallery2_2.2.4-1ubuntu0.1.diff.gz
 OK: gallery2_2.2.4-1ubuntu0.1.dsc
     -> Component: universe Section: web
 OK: gallery2_2.2.4-1ubuntu0.1_all.deb
 OK: gallery2_2.2.4-1ubuntu0.1_i386_translations.tar.gz

Format: 1.7
Date: Wed, 25 Jun 2008 13:47:58 +1000
Source: gallery2
Binary: gallery2
Architecture: all i386_translations source
Version: 2.2.4-1ubuntu0.1
Distribution: hardy-security
Urgency: low
Maintainer: Michael C. Schultheiss <schultmc at>
Changed-By: William Grant <william at>
 gallery2   - web-based photo album written in PHP
 gallery2 (2.2.4-1ubuntu0.1) hardy-security; urgency=low
   * SECURITY UPDATE: multiple cross-site scripting, information disclosure,
     and restriction bypass vulnerabilities (LP: #242671), and arbitrary code
     execution (LP: #202422)
     - lib/smarty/plugins/modifier.regex_replace.php: Don't look past a NULL in
       the search string. Fixes possible arbitrary code execution. Patch from
       smarty upstream.
     - modules/core/ Flatten the contents of ZIP archives if they
       are being uploaded by a user without subalbum privileges. Patch from
       upstream svn.
     - modules/core/classes/GalleryUrlGenerator.class,
       Properly remove illegal characters from URLs. Patch from upstream svn.
     - modules/core/classes/Gallery{Embed,PhpVm}.class: More thoroughly verify
       that the remote address isn't being spoofed. Patch from upstream svn.
     - modules/password/ Only allow password protection of
       items already password protected or albums, as single items cannot
       reliably be password protected. Patch from upstream svn.
     - modules/albumselect/ Add session permissions to keys for
       the album list cache, to avoid hidden album disclosure. Patch from
       upstream svn.
     - */MANIFEST: Drop modified files to please the browser-based installer.
     - References:
       + CVE-2008-1066
       + CVE-2008-2720
       + CVE-2008-2721
       + CVE-2008-2722
       + CVE-2008-2723
       + CVE-2008-2724
 150f912aa702b9219f20bd097f62b457 12154992 web optional gallery2_2.2.4-1ubuntu0.1_all.deb
 12144b81259a78949f0f8c1c87c91453 6803904 raw-translations - gallery2_2.2.4-1ubuntu0.1_i386_translations.tar.gz
 618fbb718fcb850db3a4fef143c06287 625 web optional gallery2_2.2.4-1ubuntu0.1.dsc
 f157da8b94ceab38a35387dd0c5379d7 27153 web optional gallery2_2.2.4-1ubuntu0.1.diff.gz
Launchpad-Bugs-Fixed: 202422 242671

More information about the Hardy-changes mailing list