Your message dated Fri, 21 Mar 2008 07:52:16 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#469492: fixed in smarty 2.6.14-1etch1
has caused the Debian Bug report #469492,
regarding smarty: CVE-2008-1066 allows to call arbitrary PHP functions via
templates
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
469492: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469492
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: smarty
Version: 2.6.18-1
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for smarty.
CVE-2008-1066[0]:
| The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
| by Serendipity (S9Y) and other products, allows attackers to call
| arbitrary PHP functions via templates, related to a '0' character in
| a search string.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpVUWP3Nthsc.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: smarty
Source-Version: 2.6.14-1etch1
We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:
smarty_2.6.14-1etch1.diff.gz
to pool/main/s/smarty/smarty_2.6.14-1etch1.diff.gz
smarty_2.6.14-1etch1.dsc
to pool/main/s/smarty/smarty_2.6.14-1etch1.dsc
smarty_2.6.14-1etch1_all.deb
to pool/main/s/smarty/smarty_2.6.14-1etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated smarty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 16 Mar 2008 11:49:56 +0100
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.14-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Dimitri Fontaine <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
smarty - Template engine for PHP
Closes: 469492
Changes:
smarty (2.6.14-1etch1) stable-security; urgency=high
.
* Non-maintainer upload by the security team.
* A \0 character in a search string could be abused to
call arbitrary PHP functions via templates.
CVE-2008-1066, closes: #469492
Files:
fa71b68819fe520b5616eec683276fdf 950 web optional smarty_2.6.14-1etch1.dsc
9186796ddbc29191306338dea9d632a0 144986 web optional smarty_2.6.14.orig.tar.gz
8544db24358f72e091898f45c9fbc961 3814 web optional smarty_2.6.14-1etch1.diff.gz
d2c9b4a558a052ab1c96bbdadfedafa5 184654 web optional
smarty_2.6.14-1etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9z8L2z0hbPcukPfAQJMywgAq9k4FZMsIIYMjV6RVAAIzcjJhu7oFGQ5
ddSSV5jT5K0NzSdFEm6keDU2mYuRsDCJnzJ8U+Qllquchmv8kO2lTpHGKa1VeQby
7BqiYUxB7JblH7FYtuHcpMCtAr9emJOlRKKUh27fXGPj3cYr42PQ1Epfz2Rys5nw
nuwZ61uIvXUIkBTgBDi9UcjvMFepVatpUMQsZJxKFTSsQTXIzoD8PqK93Wcbno4b
6h2oZT/eZSuZH5YdBoBdDHOrQjP0e9iZtsayb/V7xUeAmOlCzbP9KWuZsA+VGSRs
YGZ9KOcg+FR6nfwP83DHGTmX9GT2tgV50ahWgJXypLvUnaAuFKGoVA==
=LWDn
-----END PGP SIGNATURE-----
--- End Message ---
