Gallery 3.0.1 is available! This is a bug and stability fix
release, but it also includes an important security fix. We
strongly advise that you upgrade to Gallery 3.0.1 as soon as
possible. Upgrading is quick and easy — don't put it off! More
details to learn what's improved in Gallery 3.0.1 or
just download
it now!
Security Fix
Vulnerability CVE-2010-4353
Gallery 3.0 (and beta versions) have a security vulnerability where
users with upload permissions can bypass file type restrictions and
upload files of any type to the remote system. This vulnerability
only affects installations where you've granted upload permissions
to users you don't fully trust. Those users could then gain
remote access to your system. We strongly recommend that you
upgrade immediately. However, if you wish to close the hole without
upgrading you can replace or patch modules/gallery/models/item.php
with a newer version.
-
Method #1: Replace item.php
-
Download
CVE-2010-4353.zip
- Unpack the zip file
- Replace modules/gallery/models/item.php with the version
contained in the zip file
-
Method #2: Patch item.php
-
Download
CVE-2010-4353.patch.txt
- Move CVE-2010-4353.patch.txt into your gallery3 directory
- Run
patch -p0 < CVE-2010-4353.patch.txt
- You should see the following output:
patching file modules/gallery/models/item.php
We would like to thank Kriss Andsten for responsibly disclosing this
security issue. Kriss is a valued member of the Gallery 3 community
and he will be receiving a $400 cash reward as part of
the Gallery
Security Bounty program.
If you discover a security vulnerability in any Gallery product,
please
email security@gallery.menalto.com
with the details and we will fix it as soon as possible and reward
your efforts.
What's changed in Gallery 3.0.1?
This new release is primarily a bugfix and stability release. There
have been over 277,000 downloads of Gallery 3.0 since we released it
in October of 2010 and over 32,000 posts in our forums from active
users. While the feedback has been overwhelmingly positive, you've
certainly found a lot of bugs and rough edges! We worked through
and closed
over 95
tickets to make the product faster, more reliable and easier to
use. We hope you like the results. Some of the highlights of this
release include:
-
Considerable performance improvements to the REST module which
is the technology that powers things like
the Gallery
Android App
-
Huge improvements in performance when tagging lots of photos
-
Compatibility fixes for Internet Explorer 6 and 7
-
Improved system detection to help identify problems when PHP is
configured in a way that makes Gallery not work very well or not
work at all.
-
Automatic version upgrade detection. Gallery will now alert you
if there's a newer version of Gallery available, without sharing
any of your Gallery information.
-
Completely rewrote the Organize feature to be fast and stable.
-
Fixed an important stability issue where a race between two
users deleting photos and albums could result in database
corruption which, while completely recoverable, is a pain to deal with.
Upgrading
Upgrading is really easy! Unpack the new version, move the var/
directory of the old version to the new version's folder and then
either browse to:
http://your-site.com/gallery3/index.php/upgrader
or at a shell prompt:
php index.php upgrade
For more detailed upgrade instructions, please refer to
the Gallery
3 User Guide
Roadmap
Looking forward, we intend to make some major changes in the 3.1
code base. We'd like to get Gallery embedded into content
management systems like Drupal, Joomla, etc. We're also thinking
about ways that we can overhaul and greatly improve the theme and
authentication systems. If we discover issues in the 3.0.1 release
that need a quick fix, we will probably spin up a 3.0.2 release for
those.
Got feedback?
If you have any overall feedback, please visit
the Gallery
3.0.1 Feedback forum topic and let us know! If you have questions,
please visit
the Gallery 3 Wiki,
the home for Gallery 3 documentation.
