Branches for Hardy

Author: Michael Schultheiss
Revision Date: 2007-12-24 05:36:33 UTC

* New upstream release (Urgency high due to security fixes.
  Closes: #457644)
* debian/control:
  + Update Standards-Version (No changes needed)
  + Add Homepage field, remove Homepage from Description
* debian/rules: No longer set DH_COMPAT (use debian/compat instead)

Author: William Grant
Revision Date: 2008-06-25 13:47:58 UTC

* SECURITY UPDATE: multiple cross-site scripting, information disclosure,
  and restriction bypass vulnerabilities (LP: #242671), and arbitrary code
  execution (LP: #202422)
  - lib/smarty/plugins/modifier.regex_replace.php: Don't look past a NULL in
    the search string. Fixes possible arbitrary code execution. Patch from
    smarty upstream.
  - modules/core/ItemAdd.inc: Flatten the contents of ZIP archives if they
    are being uploaded by a user without subalbum privileges. Patch from
    upstream svn.
  - modules/core/classes/GalleryUrlGenerator.class,
    modules/rewrite/classes/parsers/modrewrite/ModRewriteUrlGenerator:
    Properly remove illegal characters from URLs. Patch from upstream svn.
  - modules/core/classes/Gallery{Embed,PhpVm}.class: More thoroughly verify
    that the remote address isn't being spoofed. Patch from upstream svn.
  - modules/password/PasswordOption.inc: Only allow password protection of
    items already password protected or albums, as single items cannot
    reliably be password protected. Patch from upstream svn.
  - modules/albumselect/Callbacks.inc: Add session permissions to keys for
    the album list cache, to avoid hidden album disclosure. Patch from
    upstream svn.
  - */MANIFEST: Drop modified files to please the browser-based installer.
  - References:
    + CVE-2008-1066
    + CVE-2008-2720
    + CVE-2008-2721
    + CVE-2008-2722
    + CVE-2008-2723
    + CVE-2008-2724

Author: William Grant
Revision Date: 2008-06-25 13:47:58 UTC

* SECURITY UPDATE: multiple cross-site scripting, information disclosure,
  and restriction bypass vulnerabilities (LP: #242671), and arbitrary code
  execution (LP: #202422)
  - lib/smarty/plugins/modifier.regex_replace.php: Don't look past a NULL in
    the search string. Fixes possible arbitrary code execution. Patch from
    smarty upstream.
  - modules/core/ItemAdd.inc: Flatten the contents of ZIP archives if they
    are being uploaded by a user without subalbum privileges. Patch from
    upstream svn.
  - modules/core/classes/GalleryUrlGenerator.class,
    modules/rewrite/classes/parsers/modrewrite/ModRewriteUrlGenerator:
    Properly remove illegal characters from URLs. Patch from upstream svn.
  - modules/core/classes/Gallery{Embed,PhpVm}.class: More thoroughly verify
    that the remote address isn't being spoofed. Patch from upstream svn.
  - modules/password/PasswordOption.inc: Only allow password protection of
    items already password protected or albums, as single items cannot
    reliably be password protected. Patch from upstream svn.
  - modules/albumselect/Callbacks.inc: Add session permissions to keys for
    the album list cache, to avoid hidden album disclosure. Patch from
    upstream svn.
  - */MANIFEST: Drop modified files to please the browser-based installer.
  - References:
    + CVE-2008-1066
    + CVE-2008-2720
    + CVE-2008-2721
    + CVE-2008-2722
    + CVE-2008-2723
    + CVE-2008-2724