Your message dated Fri, 21 Mar 2008 07:52:25 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#469492: fixed in smarty 2.6.9-1sarge1
has caused the Debian Bug report #469492,
regarding smarty: CVE-2008-1066 allows to call arbitrary PHP functions via
templates
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
469492: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469492
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: smarty
Version: 2.6.18-1
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for smarty.
CVE-2008-1066[0]:
| The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
| by Serendipity (S9Y) and other products, allows attackers to call
| arbitrary PHP functions via templates, related to a '0' character in
| a search string.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpqaTUVzwJOv.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: smarty
Source-Version: 2.6.9-1sarge1
We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:
smarty_2.6.9-1sarge1.diff.gz
to pool/main/s/smarty/smarty_2.6.9-1sarge1.diff.gz
smarty_2.6.9-1sarge1.dsc
to pool/main/s/smarty/smarty_2.6.9-1sarge1.dsc
smarty_2.6.9-1sarge1_all.deb
to pool/main/s/smarty/smarty_2.6.9-1sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated smarty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 16 Mar 2008 12:05:07 +0100
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.9-1sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Dimitri Fontaine <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
smarty - Template engine for PHP
Closes: 469492
Changes:
smarty (2.6.9-1sarge1) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* A \0 character in a search string could be abused to
call arbitrary PHP functions via templates.
CVE-2008-1066, closes: #469492
Files:
3c1955d0151a53532dab661fb9a9b7b3 870 web optional smarty_2.6.9-1sarge1.dsc
4ee0048de6a9b35f1b11b458493327f2 141694 web optional smarty_2.6.9.orig.tar.gz
b1835fb9b611eb5ef3f26f23c21fbdbb 3502 web optional smarty_2.6.9-1sarge1.diff.gz
39408bb8ec42a25956990f2e81bd2d7e 177048 web optional
smarty_2.6.9-1sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9z/o2z0hbPcukPfAQK8uQf/cBjknFAnsHD1mlHhfslvUDjYAuZOeipW
Y+cgaVzKItxnQRHpnv9ZPTgW7HruMnoKHSPTh6Ks6q+sVXrPGIu0s10mD8YeqjkL
I6wMgD5/JGQHfcZ7rm2COlJQl+1jWDt4Am9m/+Aip0++v02c07CIpkyNvIU5V7E5
70150+FUyljMkfuJOa6MgnOmk+Yd9UGencNDKXlWy+3LfSJ2dPUK1ZN6uwgnrNRp
bwb9TM3RB3zTiS5WWJqqE1/J7oHAGV/sT1sa1bWYJFa1drx0s5H0TffWSy6Ixr+W
7ZB2P89tKpVVaXA6aFHUqOBdxRZPMBLQmqcxlcfvDUrhB6zSiBnwEg==
=IxNY
-----END PGP SIGNATURE-----
--- End Message ---
