We have discovered a well-hidden but potentially serious security flaw in these versions of Gallery which can allow a hacker to log in to your Gallery as an administrator and perform any actions on your albums. No risk is posed to the webserver-itself or any non-Gallery data. All Gallery users are very strongly urged to upgrade to 1.4.3-pl2 immediately, which fixes this serious problem and will secure your system.

Gallery 1.4.3-pl2 can be downloaded from the Gallery Download Page.

[10PM PDT] A patch version of the update has been made available on the downloads page. After downloading the patch, you can apply it by running this command on your (UNIX) server:

gzip -d gallery-1.4.3-pl1_to_pl2.patch.gz patch -p0 < gallery-1.4.3-pl1_to_pl2.patch

Version 1.4.3-pl2-1 of the Debian gallery package was uploaded on Tuesday, June 1, 2004 and should be available in Debian unstable after the archive run completes in the afternoon (EST) of Wednesday, June 2, 2004.