We're releasing both Gallery 3.0.3 and Gallery 2.3.2 as security releases. Several researchers, working independently, discovered possible encryption-related vulnerabilities. Low-risk XSS vulnerabilities limited to the administration area were also reported. We thank the following individuals for reporting these issues: James 'albino' Kettle, George Argyros & Aggelos Kiayias, and Emanuel Bronshtein. They will be receiving bounties for these issues. Read our Bounties page for details and how to submit any security issues you find. The CVE id for these issues is CVE-2012-1113.
We recommend that all users of Gallery 2 and Gallery 3 upgrade as soon as possible.
Gallery 3.0.3 includes a few other small fixes, and Gallery 2.3.3 is strictly a security release.
Upgrading Gallery 3
Upgrading is really easy! Unpack the new version, move the var/ directory of the old version to the new version's folder and then either browse to:
or at a shell prompt:
php index.php upgrade
For more detailed upgrade instructions, please refer to
3 User Guide
Upgrading Gallery 2
A very small change is all that is needed. Drop in a new copy of all the files, or just grab the files from that commit and you'll be all set. You can also follow the much more detailed Gallery 2 Upgrading steps.
If you have any overall feedback, please visit the Gallery 3.0.3 Feedback forum topic and let us know! If you have questions,
please visit the Gallery 3 Wiki, the home for Gallery 3 documentation.