The Gallery team reports:
Gallery 2.2.4 addresses the following security
vulnerabilities:
- Publish XP module - Fixed unauthorized album creation
and file uploads.
- URL rewrite module - Fixed local file inclusion
vulnerability in unsecured admin controller and
information disclosure in hotlink protection.
- Core / add-item modules - Fixed Cross Site Scripting
(XSS) vulnerabilities through malicious file names.
- Installation (Gallery application) - Update
web-accessibility protection of the storage folder for
Apache 2.2.
- Core (Gallery application) / MIME module - Fixed
vulnerability in checks for disallowed file extensions
in file uploads.
- Gallery Remote module - Added missing permissions
checks for some GR commands.
- WebDAV module - Fixed Cross Site Scripting (XSS)
vulnerability through HTTP PROPPATCH.
- WebDAV module - Fixed information (item data)
disclosure in a WebDAV view.
- Comment module - Fixed information (item data)
disclosure in comment views.
- Core module (Gallery application) - Improved
resilience against item information disclosure
attacks.
- Slideshow module - Fixed information (item data)
disclosure in the slideshow.
- Print modules - Fixed information (item data)
disclosure in several print modules.
- Core / print modules - Fixed arbitrary URL redirection
(phishing attacks) in the core module and several print
modules.
- WebCam module - Fixed proxied request weakness.