Your message dated Wed, 04 Nov 2009 21:05:22 +0000
with message-id <[email protected]>
and subject line Bug#504328: fixed in smarty 2.6.26-0.1
has caused the Debian Bug report #504328,
regarding Smarty "_expand_quoted_text()" Security Bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
504328: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504328
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: smarty
Severity: important
Version: 2.6.14-1
Tags: security patch
Hi,
The following SA (Secunia Advisory) id was published for Smarty.
SA32329[1]:
> A vulnerability has been reported in Smarty, which can be exploited by
> malicious people to bypass certain security restrictions.
>
> The vulnerability is caused due to an error when processing data with
> embedded variables. This can be exploited to potentially execute arbitrary
> PHP code.
The patch for Smarty_Compiler.class.php can be found at [2].
If you fix the vulnerability please also make sure to include the SA id in the
changelog entry.
[1]http://secunia.com/Advisories/32329/
[2]http://code.google.com/p/smarty-php/source/diff?spec=svn2797&r=2797&format=side&path=/trunk/libs/Smarty_Compiler.class.php
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: smarty
Source-Version: 2.6.26-0.1
We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:
smarty_2.6.26-0.1.diff.gz
to main/s/smarty/smarty_2.6.26-0.1.diff.gz
smarty_2.6.26-0.1.dsc
to main/s/smarty/smarty_2.6.26-0.1.dsc
smarty_2.6.26-0.1_all.deb
to main/s/smarty/smarty_2.6.26-0.1_all.deb
smarty_2.6.26.orig.tar.gz
to main/s/smarty/smarty_2.6.26.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[email protected]> (supplier of updated smarty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Oct 2009 12:40:12 +0200
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.26-0.1
Distribution: unstable
Urgency: low
Maintainer: Dimitri Fontaine <[email protected]>
Changed-By: Thijs Kinkhorst <[email protected]>
Description:
smarty - Template engine for PHP
Closes: 504328 529810
Changes:
smarty (2.6.26-0.1) unstable; urgency=low
.
* Non-maintainer upload.
* New upstream release to address open security issues.
(CVE-2008-4810, CVE-2008-4811, CVE-2009-1669,
closes: #529810, #504328)
* Remove installation of smarty_icon.README and unit_test,
dropped upstream.
Checksums-Sha1:
72f0ef983a60fd91a3fad61b3f05252f761e15f3 1412 smarty_2.6.26-0.1.dsc
040245f979e759d9b80c35de04035f010ed6d158 153034 smarty_2.6.26.orig.tar.gz
82cfd17888fc252ff8dd8d8ebd7ef9c56fdf0615 4501 smarty_2.6.26-0.1.diff.gz
7fde38359420618906f9ad76ff36427f7594651a 201342 smarty_2.6.26-0.1_all.deb
Checksums-Sha256:
460579a9b081360e27bce26915ca6226d21d3b0029d0411a7049f85a0242e5a5 1412
smarty_2.6.26-0.1.dsc
99185a967a6cebdc00f29feb70b113a9970572751892c12673c27dd765d43f99 153034
smarty_2.6.26.orig.tar.gz
57de0dc0bdb7e84df99fab3930c34dce228cdf4af05f9143f9e7bc923dc59efd 4501
smarty_2.6.26-0.1.diff.gz
a8958067c110675b9eb5501ad0d86763d6bd2d70edc1ea6f4e65985754d819d0 201342
smarty_2.6.26-0.1_all.deb
Files:
555de39317d1031acce8108ab94f2a00 1412 web optional smarty_2.6.26-0.1.dsc
e0da351443b8613e1013c481ab30cb84 153034 web optional smarty_2.6.26.orig.tar.gz
fb52a8723695be8bf6fb67a38780e3a7 4501 web optional smarty_2.6.26-0.1.diff.gz
77b4e11dc4cce086fcd9cc8be95e87d1 201342 web optional smarty_2.6.26-0.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJK4tvBAAoJECIIoQCMVaAcnGAH/iORX16UwuuHRMJ74/Sm6bmz
0jIfdMJfxS5NJ/dGaPKwg3f6mAgxxpfEMFAbrdj8k63K7wGIqs+EkgyYuSeYTSqV
qxd6cjQcA+HD8/NyW6n97C7c/+63f2ZzDlwQ/1X7Dtxm7Jd09XQdL7p4zk7ulx1i
K/OxYr3gHdsTdOEUwnK6yG5/na698m263pmTYC34OQv/xYKhWzwIV0zyhluIPLWz
t1iKFZM28QiFjn3gkbElYjR1CB+69eXPVZgyM5bNz76Vcj3ZBsrRdGTLFmGYrRE/
Iv3rCY1GbzopfxXAc9hvPK5cnbNv41GfSkVvvxW76DALVUn/WZF50rs7zZlYLn4=
=wbJB
-----END PGP SIGNATURE-----
--- End Message ---
