Your message dated Sun, 16 Mar 2008 17:19:29 +0100
with message-id <[EMAIL PROTECTED]>
and subject line dropped Smarty in 2005
has caused the Debian Bug report #471200,
regarding ships embedded copy of smarty with security bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
471200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471200
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: gosa
Severity: grave
Tags: security patch
Hi,
A security issue has been discovered in Smarty which is also
shipped as part of gosa:
| The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
| by Serendipity (S9Y) and other products, allows attackers to call
| arbitrary PHP functions via templates, related to a '0' character in
| a search string.
Please see the original bug in Smarty here: #469492. The patch is very
straigtforward.
The right solution here is to not ship Smarty as part of gosa but make use
of the smarty package that is already in the archive, because the security
team now has to issue multiple DSA's for this single issue which is obviously
problematic.
To address this bug for lenny and sid, please prepare a version of Moodle
that works with the archive version of smarty.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpSyNMipjpPa.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 2.4beta1-1
This bug only applies to oldstable, gosa dropped the Smarty embedded copy
years ago.
Thijs
pgpxE3k1usX13.pgp
Description: PGP signature
--- End Message ---
