<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200802-04"> <title>Gallery: Multiple vulnerabilities</title> <synopsis> Multiple vulnerabilities were discovered in Gallery. </synopsis> <product type="ebuild">gallery</product> <announced>2008-02-11</announced> <revised count="01">2008-02-11</revised> <bug>203217</bug> <access>remote</access> <affected> <package name="www-apps/gallery" auto="yes" arch="*"> <unaffected range="ge">2.2.4</unaffected> <unaffected range="lt">2.0</unaffected> <vulnerable range="lt">2.2.4</vulnerable> </package> </affected> <background> <p> Gallery is a web-based application for creating and viewing photo albums. </p> </background> <description> <p> The Gallery developement team reported and fixed critical vulnerabilities during an internal audit (CVE-2007-6685, CVE-2007-6686, CVE-2007-6687, CVE-2007-6688, CVE-2007-6689, CVE-2007-6690, CVE-2007-6691, CVE-2007-6692, CVE-2007-6693). </p> </description> <impact type="high"> <p> A remote attacker could exploit these vulnerabilities to execute arbitrary code, conduct Cross-Site Scripting and Cross-Site Request Forgery attacks, or disclose sensitive informations. </p> </impact> <workaround> <p> There is no known workaround at this time. </p> </workaround> <resolution> <p> All Gallery users should upgrade to the latest version: </p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/gallery-2.2.4"</code> </resolution> <references> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6685">CVE-2007-6685</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6686">CVE-2007-6686</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6687">CVE-2007-6687</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6688">CVE-2007-6688</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6689">CVE-2007-6689</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6690">CVE-2007-6690</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6691">CVE-2007-6691</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6692">CVE-2007-6692</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6693">CVE-2007-6693</uri> </references> <metadata tag="requester" timestamp="2008-01-23T19:59:20Z"> jaervosz </metadata> <metadata tag="bugReady" timestamp="2008-01-23T19:59:33Z"> jaervosz </metadata> <metadata tag="submitter" timestamp="2008-02-06T11:03:19Z"> p-y </metadata> </glsa>