Your message dated Sun, 16 Mar 2008 17:19:29 +0100 with message-id <[EMAIL PROTECTED]> and subject line dropped Smarty in 2005 has caused the Debian Bug report #471200, regarding ships embedded copy of smarty with security bug to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 471200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471200 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: gosa Severity: grave Tags: security patch Hi, A security issue has been discovered in Smarty which is also shipped as part of gosa: | The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used | by Serendipity (S9Y) and other products, allows attackers to call | arbitrary PHP functions via templates, related to a '0' character in | a search string. Please see the original bug in Smarty here: #469492. The patch is very straigtforward. The right solution here is to not ship Smarty as part of gosa but make use of the smarty package that is already in the archive, because the security team now has to issue multiple DSA's for this single issue which is obviously problematic. To address this bug for lenny and sid, please prepare a version of Moodle that works with the archive version of smarty. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpSyNMipjpPa.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Version: 2.4beta1-1 This bug only applies to oldstable, gosa dropped the Smarty embedded copy years ago. Thijs
pgpxE3k1usX13.pgp
Description: PGP signature
--- End Message ---