gallery3-3.0.8-1.el6 security update
|Release:||Fedora EPEL 6|
|Date Submitted:||2013-06-04 13:23:46|
|Date Released:||2013-06-04 23:55:31|
A security flaw was found in the way uploadify and flowplayer SWF files handling functionality of Gallery version 3, an open source project with the goal to develop and support leading photo sharing web application solutions, processed certain URL fragments passed to these files (certain URL fragments were not stripped properly when these files were called via direct URL request(s)). A remote attacker could use this flaw to conduct replay attacks.
References:  http://sourceforge.net/mailarchive/message.php?msg_id=30925931  http://galleryproject.org/gallery_3_0_8
Relevant upstream tickets (and patches):
- uploadify case:
 http://sourceforge.net/apps/trac/gallery/ticket/2068  https://github.com/gallery/gallery3/commit/80bb0f2222dd99ed2ce59e804b833bab63cc376a
- flowplayer case:
 http://sourceforge.net/apps/trac/gallery/ticket/2070  https://github.com/gallery/gallery3/commit/3e5bba2cd4febe8331c0158c11ea418f21c72efa  https://github.com/gallery/gallery3/commit/12e51694fdc39c752cc439424cf309866f9f914aBugs Fixed970598 - CVE-2013-2138: gallery3: Improper stripping of URL fragments in uploadify and flowplayer SWF files might lead to replay attacks [fedora-all]bodhi - 2013-06-04 13:24:02This update has been submitted for testing by limb.
bodhi - 2013-06-04 22:51:24This update is currently being pushed to the Fedora EPEL 6 testing updates repository.
bodhi - 2013-06-05 00:46:37This update has been pushed to testing
bodhi - 2013-06-19 04:08:35This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
bodhi - 2013-06-19 12:17:01This update has been submitted for stable by limb.
bodhi - 2013-06-19 19:43:50This update is currently being pushed to the Fedora EPEL 6 stable updates repository.
bodhi - 2013-06-19 21:37:01This update has been pushed to stable