Re: [SECURITY] [DSA 1148-1] New gallery packages fix several vulnerabilities

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1148-1] New gallery packages fix several vulnerabilities
From: Christoph Auer <c_a@gmx.net>
Date: Thu, 10 Aug 2006 09:16:55 +0200
Message-id: <[🔎] 44DADD67.9090305@gmx.net>
In-reply-to: <20060809212702.GA8621@galadriel.inutil.org>
References: <20060809212702.GA8621@galadriel.inutil.org>

After getting this DSA I made an upgrade of my sarge server as usally:

apt-get update
apt-get upgrade

In the postinst. process I choose to restart the apache2 server to take
effect of the changes, but something went wrong.

root     20343  0.0  0.0     0    0 pts/0    Z+   08:14   0:00
[gallery.postins] <defunct>

after waiting for 4 minutes in front of "Forcing reload of web server:
Apache2." I killed with ctrl-c
and run again apt-get update this time I choose no at the
apache-restart-question and it concluded successfully.
A "manually" restart with "/etc/init.d/apache2 restart" worked fine.

Regards,
-- 
Christoph Auer <c_a@gmx.net>
GnuPG Key ID: 1082227A
Encrypted e-mail preferred.
Powered by Debian GNU/Linux


Moritz Muehlenhoff wrote:
> --------------------------------------------------------------------------
> Debian Security Advisory DSA 1148-1                    security@debian.org
> http://www.debian.org/security/                         Moritz Muehlenhoff
> August 9th, 2006                        http://www.debian.org/security/faq
> --------------------------------------------------------------------------
> 
> Package        : gallery
> Vulnerability  : several
> Problem-Type   : remote
> Debian-specific: no
> CVE ID         : CVE-2005-2734 CVE-2006-0330 CVE-2006-4030
> Debian Bug     : 325285
> 
> Several remote vulnerabilities have been discovered in gallery, a web-based
> photo album. The Common Vulnerabilities and Exposures project identifies
> the following problems:
> 
> CVE-2005-2734
> 
>     A cross-site scripting vulnerability allows injection of web script
>     code through HTML or EXIF information.
> 
> CVE-2006-0330
> 
>     A cross-site scripting vulnerability in the user registration allows
>     injection of web script code.
> 
> CVE-2006-4030
> 
>     Missing input sanitising in the stats modules allows information
>     disclosure.
> 
> For the stable distribution (sarge) these problems have been fixed in
> version 1.5-1sarge2.
> 
> For the unstable distribution (sid) these problems have been fixed in
> version 1.5-2.
> 
> We recommend that you upgrade your gallery package.

Reply to:

Prev by Date: RE: [SECURITY] [DSA 1147-1] New drupal packages fix cross-site scripting
Next by Date: Updated: Russian and Ukrainian translation/localization services
Previous by thread: RE: [SECURITY] [DSA 1147-1] New drupal packages fix cross-site scripting
Next by thread: Updated: Russian and Ukrainian translation/localization services
Index(es):
- Date
- Thread