Actually Moodle doesn't even use smarty (we were going to but we didn't) so this can be completely removed from the code base without any effect. I'll remove it upstream too.
Is it still a security problem to have the script there if we don't use it? Cheers, Martin On 16/03/2008, Thijs Kinkhorst <[EMAIL PROTECTED]> wrote: > Package: moodle > Severity: grave > Tags: security patch > > Hi, > > A security issue has been discovered in Smarty which is also shipped as part > of Moodle: > > | The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used > | by Serendipity (S9Y) and other products, allows attackers to call > | arbitrary PHP functions via templates, related to a '0' character in > | a search string. > > Please see the original bug in Smarty here: #469492. The patch is very > straigtforward. > > The right solution here is to not ship Smarty as part of Moodle but make use > of the smarty package that is already in the archive, because the security > team now has to issue multiple DSA's for this single issue which is obviously > problematic. > > Could you please take the following actions: > * To address this bug for lenny and sid, please prepare a version of Moodle > that works with the archive version of smarty; > * For sarge and etch, please prepare updated packages addressing this bug and > #432264, which is also still open in sarge/etch. > > > > thanks, > > Thijs > > -- /// Moodle - open-source software for collaborative learning /// /// Free software, community, information: http://moodle.org /// Commercial support and other services: http://moodle.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
