Your message dated Sun, 30 Nov 2008 10:47:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#506824: fixed in gallery 1.5.9-1.2
has caused the Debian Bug report #506824,
regarding gallery: cookie handling security bypass vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
506824: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506824
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: gallery
Severity: grave
Version: 1.5.8-1
Tags: security

Hi,

The following SA (Secunia Advisory) id was published for gallery.

SA32817[1]:
> A vulnerability has been reported in Gallery, which can be exploited by
> malicious people to bypass certain security restrictions.
>
> The vulnerability is caused due to an unspecified error when handling
> certain cookies, which can be exploited to gain administrative access to
> the application.
>
> Successful exploitation requires that "register_globals" is enabled.
>
> The vulnerability is reported in Gallery 1.x versions 1.5.8-svn-b34 and
> later.

If you fix the vulnerability please also make sure to include the CVE id (when 
one is assigned) in the changelog entry.

[1]http://secunia.com/Advisories/32817/

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message ---
Source: gallery
Source-Version: 1.5.9-1.2

We believe that the bug you reported is fixed in the latest version of
gallery, which is due to be installed in the Debian FTP archive:

gallery_1.5.9-1.2.diff.gz
  to pool/main/g/gallery/gallery_1.5.9-1.2.diff.gz
gallery_1.5.9-1.2.dsc
  to pool/main/g/gallery/gallery_1.5.9-1.2.dsc
gallery_1.5.9-1.2_all.deb
  to pool/main/g/gallery/gallery_1.5.9-1.2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated gallery package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 30 Nov 2008 11:12:34 +0100
Source: gallery
Binary: gallery
Architecture: source all
Version: 1.5.9-1.2
Distribution: unstable
Urgency: high
Maintainer: Michael C. Schultheiss <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 gallery    - a web-based photo album written in php
Closes: 506824
Changes: 
 gallery (1.5.9-1.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix insecure usage of superglobal $_REQUEST by first cleaning
     it up and then merging $_GET and $_POST into it to it to prevent
     interfering values set by malicious cookies when register_globals is on
     (No CVE id yet; Closes: #506824).
Checksums-Sha1: 
 b6f51e06c2f599ad49486f72148bf1b03039b176 971 gallery_1.5.9-1.2.dsc
 ab66569d891aad4e2210cfdad5a183ef4f36f854 21440 gallery_1.5.9-1.2.diff.gz
 f797e240949a0a866c53ff6f042318a5d570e8c4 2460952 gallery_1.5.9-1.2_all.deb
Checksums-Sha256: 
 6f2f8c07b3ab18658e9a3c66dcfffd2b56c67436a70af1e61a979047d7cf52fc 971 
gallery_1.5.9-1.2.dsc
 a4cfb2466b4a0b4526c3df6c552dfe93fdc5955c1cda88fa1cd213a20ffd24a7 21440 
gallery_1.5.9-1.2.diff.gz
 c2b0a2aa92a5db06fb93265a640ea2c87e83a52699fb851e311f7fe41d8ac8e4 2460952 
gallery_1.5.9-1.2_all.deb
Files: 
 507b4f9ef546c34c7f5d73353704c2c0 971 web optional gallery_1.5.9-1.2.dsc
 42507a32abbd5195788b0637fa35c059 21440 web optional gallery_1.5.9-1.2.diff.gz
 7e8b003964d0bf0010875f0de87296bd 2460952 web optional gallery_1.5.9-1.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkyblAACgkQHYflSXNkfP9tQgCgshHOkhB41LVhFIfDME3NGuvg
Ko0An0BqX2gltiufYsnAWpOs3ZG7YB12
=rLDn
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to