Your message dated Thu, 15 Jun 2023 15:28:53 +0000
with message-id <[email protected]>
and subject line Bug#1033965: fixed in smarty4 4.3.1-1
has caused the Debian Bug report #1033965,
regarding smarty4: CVE-2023-28447: Cross site scripting vulnerability in
Javascript escaping
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033965: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033965
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: smarty3
Version: 3.1.47-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:smarty4 4.3.0-1
Control: retitle -2 smarty4: CVE-2023-28447: Cross site scripting vulnerability
in Javascript escaping
Hi,
The following vulnerability was published for smarty.
CVE-2023-28447[0]:
| Smarty is a template engine for PHP. In affected versions smarty did
| not properly escape javascript code. An attacker could exploit this
| vulnerability to execute arbitrary JavaScript code in the context of
| the user's browser session. This may lead to unauthorized access to
| sensitive user data, manipulation of the web application's behavior,
| or unauthorized actions performed on behalf of the user. Users are
| advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve
| this issue. There are no known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-28447
https://www.cve.org/CVERecord?id=CVE-2023-28447
[1] https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: smarty4
Source-Version: 4.3.1-1
Done: Mike Gabriel <[email protected]>
We believe that the bug you reported is fixed in the latest version of
smarty4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <[email protected]> (supplier of updated smarty4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 15 Jun 2023 16:21:25 +0200
Source: smarty4
Architecture: source
Version: 4.3.1-1
Distribution: unstable
Urgency: medium
Maintainer: Mike Gabriel <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Closes: 1033965
Changes:
smarty4 (4.3.1-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2023-28447: Fix cross site scripting vulnerability in Javascript
escaping. (Closes: #1033965).
* debian/copyright:
+ Update copyright attributions.
Checksums-Sha1:
1c069ef3f3c9437e828e8a14a58a3722402ae9ac 1973 smarty4_4.3.1-1.dsc
c96e7b6f7884cb8322170a5ff77fb9beee2b0c53 361248 smarty4_4.3.1.orig.tar.gz
50ea4ab6ac43680f8ddce444a2258382cde654f4 9052 smarty4_4.3.1-1.debian.tar.xz
6e4cdf0db4dd67d3bc58dbf8c85122d3c4ab5f61 7174 smarty4_4.3.1-1_source.buildinfo
Checksums-Sha256:
06743399aaaa8f2807d030a27b1a6f7a9197a9db5a5b92ef08dd2aaeb01f3983 1973
smarty4_4.3.1-1.dsc
c91bed535eac590b3ad89f2abb5b8eab82171403ba2b5fdb486f52a656200af6 361248
smarty4_4.3.1.orig.tar.gz
9a79f3ae87f15b1206a03efabc88424c7952b30cca80207f0b7e0c19c1af453c 9052
smarty4_4.3.1-1.debian.tar.xz
24ec9feb04915c79b0e8e122f27c605e049e2fc84e53deeb7eed4c5dea2317ab 7174
smarty4_4.3.1-1_source.buildinfo
Files:
cf3b57e582bf503599d6082688bc3b07 1973 web optional smarty4_4.3.1-1.dsc
564046fad2c8893eadd0a7beb616d779 361248 web optional smarty4_4.3.1.orig.tar.gz
355781406bc3409d36fff5643368c2f4 9052 web optional
smarty4_4.3.1-1.debian.tar.xz
7476eba0bc3a1531465f323d3a92bf4f 7174 web optional
smarty4_4.3.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmSLH2MVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxkesP/iIIPvOchS43oulQP163MoGzG/aX
BkOOuyxjs5+esVEUScDLHtSbsIiyzaijodnapdp0HgU4Fvk+AWQ6qxbKtqRphgzm
x6+3Fper4CZZv+0g9zTxp8xxMTAvWstWcfLMbq9rVNK5jmTm4p2MxRvUNHPh1THa
Q9mI3tnfa4MsbgMKzeXXz6eoVE6Wty0DDi8LE2BiIWleUnL9wYVHDIs3jZu8LqmV
ZWkFKPn21G1W+WJXH1NG0qP8F/qb6KZ4wMgtusPLxFvgZMerO7sKUaP8xVJ+7sPu
/2nDJWFdt1VSOR7OXZo3/HDK+bMcPTGd4isnYimo/EWBMO/RkvNpZy4u9fP/i3bP
c+Xjfd6/jqrp5p40fWTa37VEDHMZYiKSLl3jnWy6f9KQ6hsnwpOH4PyNVF5lUyKX
16zvRZXXsHYVKqtPNjJUv9t7AnsY6YqLhKuH3CqNN49h0GoXwL1lmQFsbw9n3zgx
MSAYD1yjzFZsB+/x8ZrIw1KkQo6dk/OAu7CEwkXtudFJqxwOYexev4qa/ILofot/
KJAUGxNO2q4YvQ2Z6NAoZ8d9NridNW2WsDeD8B7dHD+U0bmDoKQFsPnDYyVbNjrm
JoRn8YQsuTj2cXWmgskmsJUn5pryJXCSwaIgierf40xgZznlhvkjs1F+Fziggwom
pMvc1jkM6IDXNicB
=3gkQ
-----END PGP SIGNATURE-----
--- End Message ---
