Re: [SECURITY] [DSA 1148-1] New gallery packages fix several vulnerabilities
- To: debian-security@lists.debian.org
- Subject: Re: [SECURITY] [DSA 1148-1] New gallery packages fix several vulnerabilities
- From: Christoph Auer <c_a@gmx.net>
- Date: Thu, 10 Aug 2006 09:16:55 +0200
- Message-id: <[🔎] 44DADD67.9090305@gmx.net>
- In-reply-to: <20060809212702.GA8621@galadriel.inutil.org>
- References: <20060809212702.GA8621@galadriel.inutil.org>
After getting this DSA I made an upgrade of my sarge server as usally:
apt-get update
apt-get upgrade
In the postinst. process I choose to restart the apache2 server to take
effect of the changes, but something went wrong.
root 20343 0.0 0.0 0 0 pts/0 Z+ 08:14 0:00
[gallery.postins] <defunct>
after waiting for 4 minutes in front of "Forcing reload of web server:
Apache2." I killed with ctrl-c
and run again apt-get update this time I choose no at the
apache-restart-question and it concluded successfully.
A "manually" restart with "/etc/init.d/apache2 restart" worked fine.
Regards,
--
Christoph Auer <c_a@gmx.net>
GnuPG Key ID: 1082227A
Encrypted e-mail preferred.
Powered by Debian GNU/Linux
Moritz Muehlenhoff wrote:
> --------------------------------------------------------------------------
> Debian Security Advisory DSA 1148-1 security@debian.org
> http://www.debian.org/security/ Moritz Muehlenhoff
> August 9th, 2006 http://www.debian.org/security/faq
> --------------------------------------------------------------------------
>
> Package : gallery
> Vulnerability : several
> Problem-Type : remote
> Debian-specific: no
> CVE ID : CVE-2005-2734 CVE-2006-0330 CVE-2006-4030
> Debian Bug : 325285
>
> Several remote vulnerabilities have been discovered in gallery, a web-based
> photo album. The Common Vulnerabilities and Exposures project identifies
> the following problems:
>
> CVE-2005-2734
>
> A cross-site scripting vulnerability allows injection of web script
> code through HTML or EXIF information.
>
> CVE-2006-0330
>
> A cross-site scripting vulnerability in the user registration allows
> injection of web script code.
>
> CVE-2006-4030
>
> Missing input sanitising in the stats modules allows information
> disclosure.
>
> For the stable distribution (sarge) these problems have been fixed in
> version 1.5-1sarge2.
>
> For the unstable distribution (sid) these problems have been fixed in
> version 1.5-2.
>
> We recommend that you upgrade your gallery package.
Reply to: