Site Navigation:
security gallery3-3.0.8-1.el6 security update
Status:stable
Release: Fedora EPEL 6
Update ID: FEDORA-EPEL-2013-6079
Builds: gallery3-3.0.8-1.el6 (logs)
Pushed: True
Date Submitted: 2013-06-04 13:23:46
Date Released: 2013-06-04 23:55:31
Submitter: limb
Karma: 0
Stable karma: 3
Unstable karma: -3
Details

A security flaw was found in the way uploadify and flowplayer SWF files handling functionality of Gallery version 3, an open source project with the goal to develop and support leading photo sharing web application solutions, processed certain URL fragments passed to these files (certain URL fragments were not stripped properly when these files were called via direct URL request(s)). A remote attacker could use this flaw to conduct replay attacks.

References: [1] http://sourceforge.net/mailarchive/message.php?msg_id=30925931 [2] http://galleryproject.org/gallery_3_0_8

Relevant upstream tickets (and patches):

  • uploadify case:

[3] http://sourceforge.net/apps/trac/gallery/ticket/2068 [4] https://github.com/gallery/gallery3/commit/80bb0f2222dd99ed2ce59e804b833bab63cc376a

  • flowplayer case:

[5] http://sourceforge.net/apps/trac/gallery/ticket/2070 [6] https://github.com/gallery/gallery3/commit/3e5bba2cd4febe8331c0158c11ea418f21c72efa [7] https://github.com/gallery/gallery3/commit/12e51694fdc39c752cc439424cf309866f9f914a

Bugs Fixed
970598 - CVE-2013-2138: gallery3: Improper stripping of URL fragments in uploadify and flowplayer SWF files might lead to replay attacks [fedora-all]
970599 - CVE-2013-2138: gallery3: Improper stripping of URL fragments in uploadify and flowplayer SWF files might lead to replay attacks [epel-6]
Feedback
bodhi - 2013-06-04 13:24:02
This update has been submitted for testing by limb.
bodhi - 2013-06-04 22:51:24
This update is currently being pushed to the Fedora EPEL 6 testing updates repository.
bodhi - 2013-06-05 00:46:37
This update has been pushed to testing
bodhi - 2013-06-19 04:08:35
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
bodhi - 2013-06-19 12:17:01
This update has been submitted for stable by limb.
bodhi - 2013-06-19 19:43:50
This update is currently being pushed to the Fedora EPEL 6 stable updates repository.
bodhi - 2013-06-19 21:37:01
This update has been pushed to stable

Add a comment

Tip: Login to impact how quickly this update gets pushed or unpushed.
obfuscated letters