Gallery 3.0.7 is now available! Yes, we were hoping that 3.0.6 would be the last release in the 3.0 line.. but thanks to Dhiraj Ranka and Shad Laws (a new Gallery core developer - woot!) we've uncovered two small security vulnerabilities that we'd like to patch up, because safety first! Please go ahead and update to 3.0.7 and then sit back and enjoy while we work hard behind the scenes to get 3.1 ready for you.
2013-04-22 06:20:25 PDT by ckdake
Gallery 3.0.6 is now available! This is likely to be the last release in the 3.0 branch of Gallery - next up we're going to 3.1 and making a lot of big improvements. But before we do that, we wanted to iron out a few kinks and update a few last libraries before we stop working on the 3.0.x code base. This upgrade will be fast and painless, go on.. do it!
2013-03-20 06:13:57 PDT by ckdake
Gallery 3.0.5 is now available for download. It contains several security fixes as well as a handful of new features. The only major security issue involves someone malicious accessing a copy of Gallery 3 that is not yet installed, so if you already have Gallery 3.0.4 installed and configured there are no known major issues. However, as always we strongly recommend that you upgrade to the latest code. Go on, do it. It's fast and painless.
We'd like to thank the following individuals for responsibly reporting these security issues: Michael T. Boos, AMol NAik, Johannes Dahse, Sergey Markov, James 'albino' Kettle, and Johannes Dahse. For their efforts, they will each be receiving bounties of between $100 and $1000 for their help in making Gallery more secure.
2013-02-22 06:50:06 PST by ckdake
After several extensive internal and external security audits which discovered 22 distinct vulnerabilities, we are releasing Gallery 3.0.4 as a security release. All of the issues require that someone with malicious intent either have an account with edit permissions, or trick a user with edit permissions into clicking on a malicious link. In most cases, this can only lead to a possible XSS vulnerability, but in several instances it allows arbitrary PHP code execution.
We thank the following individuals for reporting these issues: Chalk, Mateusz Goik, James 'albino' Kettle, Emanuel Bronshtein, and Sergey Markov. Due to their efforts, they will each be receiving bounties of $1000 for their help in making Gallery more secure.
2012-06-12 11:34:27 PDT by ckdake
Gallery is an online photo album organizer. Whether for small personal sites or large community sites, Gallery provides an intuitive way to blend photo management seamlessly into any website. Serving millions worldwide, Gallery is the most widely used system of its kind. Gallery is free to download and use.
We're releasing both Gallery 3.0.3 and Gallery 2.3.2 as security releases. Several researchers, working independently, discovered possible encryption-related vulnerabilities. Low-risk XSS vulnerabilities limited to the administration area were also reported. We thank the following individuals for reporting these issues: James 'albino' Kettle, George Argyros & Aggelos Kiayias, and Emanuel Bronshtein. The CVE id for these issues is CVE-2012-1113.
2012-04-11 08:24:29 PDT by ckdake