Your message dated Sun, 29 May 2022 06:19:49 +0000
with message-id <[email protected]>
and subject line Bug#1010375: fixed in smarty4 4.1.1-1
has caused the Debian Bug report #1010375,
regarding smarty4: CVE-2021-21408 CVE-2021-29454
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1010375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010375
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: smarty4
Version: 4.1.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for smarty4.
CVE-2021-21408[0]:
| Smarty is a template engine for PHP, facilitating the separation of
| presentation (HTML/CSS) from application logic. Prior to versions
| 3.1.43 and 4.0.3, template authors could run restricted static php
| methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a
| patch.
CVE-2021-29454[1]:
| Smarty is a template engine for PHP, facilitating the separation of
| presentation (HTML/CSS) from application logic. Prior to versions
| 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by
| crafting a malicious math string. If a math string was passed through
| as user provided data to the math function, external users could run
| arbitrary PHP code by crafting a malicious math string. Users should
| upgrade to version 3.1.42 or 4.0.2 to receive a patch.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408
[1] https://security-tracker.debian.org/tracker/CVE-2021-29454
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: smarty4
Source-Version: 4.1.1-1
Done: Mike Gabriel <[email protected]>
We believe that the bug you reported is fixed in the latest version of
smarty4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <[email protected]> (supplier of updated smarty4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 29 May 2022 07:58:20 +0200
Source: smarty4
Architecture: source
Version: 4.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Mike Gabriel <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Closes: 1010375 1011757
Changes:
smarty4 (4.1.1-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2021-21408: Prevent template authors from running restricted static
php methods. (Closes: #1010375).
- CVE-2021-29454: Prevent template authors from running arbitrary PHP code
by crafting a malicious math string. (Closes: #1010375, as well).
- CVE-2022-29221: Prevent template authors from injecting PHP code by
choosing malicious filenames. (Closes: #1011757).
* debian/control:
+ Bump Standards-Version: to 4.6.1. No changes needed.
* debian/smarty4.docs:
+ Drop demo/ from documentation files. Folder removed upstream.
* debian/copyright:
+ Update copyright attributions.
Checksums-Sha1:
e63f1e6899e030785fc8559e34576e9d74457507 1973 smarty4_4.1.1-1.dsc
caf00055f53d86370bbc91a2048810e7bb157c4f 235624 smarty4_4.1.1.orig.tar.gz
ac9f2bf465c54a84a8b8a1fcfd2a9ba3fda69289 8684 smarty4_4.1.1-1.debian.tar.xz
23783cdb7ea6d64133c66ea94ac9615935f875c2 6776 smarty4_4.1.1-1_source.buildinfo
Checksums-Sha256:
18178ffd0e97255897c95c8678aec3d1a08686a786d72420f309dafae6711868 1973
smarty4_4.1.1-1.dsc
077847a9686a3b0e2f8bcd1ca232a452d796b188a71fbc73ca0e358c5970f21b 235624
smarty4_4.1.1.orig.tar.gz
0ea3e9674769de094f8f8ffce9c75142ebd057a47c51883c01814f8be7002dbf 8684
smarty4_4.1.1-1.debian.tar.xz
179dcac50f9d42bccefbe867580823257063fd72b91b8b1015032b624c715736 6776
smarty4_4.1.1-1_source.buildinfo
Files:
59dbeb471d779e66d58abfd28f7d70b3 1973 web optional smarty4_4.1.1-1.dsc
19f86d232cc97b7d92b01ea1c67ade70 235624 web optional smarty4_4.1.1.orig.tar.gz
21df9c28f8c33b35ee8fb9646b4af00e 8684 web optional
smarty4_4.1.1-1.debian.tar.xz
7ec01bf3198dd71593dbd264a028e523 6776 web optional
smarty4_4.1.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmKTDSsVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxb4AP/06Naadf+7TVQp+XpbozQt9yNyOu
wNHpsFPiWmDN37RZvVzRu9ehn4fKHoG08P4wIRNvFA0JqLa85KkbJMn5KRYYMCVD
UHXR4/vMEoaX5ie7/sxFefQOqFhVmZCgGd9Nbs542U9PMDYa2FJ1ia9FvRN0cMyZ
oewtwO/YagFZM/ypmQqqHCfi6addsVGc9CCPtKv+4eN5u1KZPS+qYlIDTyW/G1UT
yLwqGEm1W4hNEeOjSIIYEaGsFbv+DI55JE+4CSISnCd/jREw3/U5wfwczRo55xaK
NqfHQMpJwKFXq6llBmCzCjuIGxwPHkVOU9JHHFqyZ7KBbwPkILRSn7ofg3Qj/Yme
1kuI2iMeBxVBwQG6XfehPzdOuc7c/SEQvLiGuUMYC/OJ8QI+ipzrFRPW4l7LrNxZ
nmI8VFfbC6UuhOFCKijstm5/aUZJ2JS20/dpBWe/fRqTM+kkfP+DxfVXvoN4n+ij
AxcZWIvz2cPyS5/e0+bvsotY3v5KbWnyCKqLGSy11i2f4DL/zFOGPcbcMZwyZVMj
n0U3n2hG1pD6rQ3475q9z/ntrM34SWCWd77CG18R6A0E2ajEFd/1GzIpRn2sW9d9
CIdgRQUTuI28XHzROQjW650aCF0oAmaqwLbOXDzC4WSaNbhHNLQFvNdzAUhyIFFG
Hgbv7k9G7AuSpINQ
=YJxu
-----END PGP SIGNATURE-----
--- End Message ---
