Hi!
Copy to debian-release because this question is rather a question to
the release team, even though it's extremely late and hope is pretty low
...
* Thijs Kinkhorst [EMAIL PROTECTED] [2008-03-19 20:15:43 CET]:
On Wednesday 19 March 2008 18:45, Christian Perrier wrote:
So, would an
On Mon, October 6, 2008 11:12, Gerfried Fuchs wrote:
Hi!
Copy to debian-release because this question is rather a question to
the release team, even though it's extremely late and hope is pretty low
...
* Thijs Kinkhorst [EMAIL PROTECTED] [2008-03-19 20:15:43 CET]:
On Wednesday 19 March
* Thijs Kinkhorst [EMAIL PROTECTED] [2008-10-06 12:05:21 CEST]:
On Mon, October 6, 2008 11:12, Gerfried Fuchs wrote:
Copy to debian-release because this question is rather a question to
the release team, even though it's extremely late and hope is pretty low
...
* Thijs Kinkhorst [EMAIL
Quoting Christian Perrier ([EMAIL PROTECTED]):
That means that there's no immediate security problem fortunately, but that
still leaves the problem of removing the embedded smarty code before this
package can be released.
As only this one file uses it, either removing it from that
On Wednesday 19 March 2008 18:45, Christian Perrier wrote:
So, would an NMU *not* covering the security issue interfere with a
security update ?
Again, I'd be happy to do the ecurity update but I need a patch. I
tried to have a look at the issue but it requires skills I don't have.
You would
Package: moodle
Severity: grave
Tags: security patch
Hi,
A security issue has been discovered in Smarty which is also shipped as part
of Moodle:
| The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
| by Serendipity (S9Y) and other products, allows attackers to call
|
Actually Moodle doesn't even use smarty (we were going to but we
didn't) so this can be completely removed from the code base without
any effect. I'll remove it upstream too.
Is it still a security problem to have the script there if we don't use it?
Cheers,
Martin
On 16/03/2008, Thijs
Hi Martin,
On Sunday 16 March 2008 12:56, Martin Dougiamas wrote:
Actually Moodle doesn't even use smarty (we were going to but we
didn't) so this can be completely removed from the code base without
any effect. I'll remove it upstream too.
Is it still a security problem to have the script
On Sunday 16 March 2008 13:36, you wrote:
Hi Martin,
On Sunday 16 March 2008 12:56, Martin Dougiamas wrote:
Actually Moodle doesn't even use smarty (we were going to but we
didn't) so this can be completely removed from the code base without
any effect. I'll remove it upstream too.
Quoting Thijs Kinkhorst ([EMAIL PROTECTED]):
I've checked this file out in detail, and it doesn't use the vulnerable
function of this Smarty security bug.
That means that there's no immediate security problem fortunately, but that
still leaves the problem of removing the embedded smarty
10 matches
Mail list logo
