Your message dated Tue, 18 Mar 2008 00:02:16 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#471201: fixed in mahara 0.9.2-2
has caused the Debian Bug report #471201,
regarding ships embedded copy of smarty with security bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
471201: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471201
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mahara
Severity: grave
Tags: security patch
Hi,
A security issue has been discovered in Smarty which is also
shipped as part of mahara:
| The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
| by Serendipity (S9Y) and other products, allows attackers to call
| arbitrary PHP functions via templates, related to a '0' character in
| a search string.
Please see the original bug in Smarty here: #469492. The patch is very
straigtforward.
The right solution here is to not ship Smarty as part of mahara but make use
of the smarty package that is already in the archive, because the security
team now has to issue multiple DSA's for this single issue which is obviously
problematic.
To address this bug for lenny and sid, please prepare a version of Moodle
that works with the archive version of smarty.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpkgeT2DCZG5.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: mahara
Source-Version: 0.9.2-2
We believe that the bug you reported is fixed in the latest version of
mahara, which is due to be installed in the Debian FTP archive:
mahara-apache2_0.9.2-2_all.deb
to pool/main/m/mahara/mahara-apache2_0.9.2-2_all.deb
mahara_0.9.2-2.diff.gz
to pool/main/m/mahara/mahara_0.9.2-2.diff.gz
mahara_0.9.2-2.dsc
to pool/main/m/mahara/mahara_0.9.2-2.dsc
mahara_0.9.2-2_all.deb
to pool/main/m/mahara/mahara_0.9.2-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nigel McNie <[EMAIL PROTECTED]> (supplier of updated mahara package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 18 Mar 2008 12:26:31 +1300
Source: mahara
Binary: mahara mahara-apache2
Architecture: source all
Version: 0.9.2-2
Distribution: unstable
Urgency: low
Maintainer: Nigel McNie <[EMAIL PROTECTED]>
Changed-By: Nigel McNie <[EMAIL PROTECTED]>
Description:
mahara - Electronic portfolio, weblog, and resume builder
mahara-apache2 - Electronic portfolio, weblog, and resume builder - apache2
config
Closes: 464726 471201
Changes:
mahara (0.9.2-2) unstable; urgency=low
.
[ Nigel McNie ]
* Removed recommends on php5-openssl and postgresql-8.1
* Changed default server name to mahara; moved asking about the servername
to mahara-apache2 so running `dpkg-reconfigure -plow mahara-apache2'
changes it (Closes: #464726)
* Removed the restart_apache helper function
* Re-ran debconf-updatepo
* Depend on the smarty debian package rather than bundling our own,
cherry-picked 21b81a5c4c4bfd0408410fdfdd6a8f0217e8f9ff from 0.9_STABLE to
assist with this (Closes: #471201)
.
[ Francois Marier ]
* Bump debhelper compatibility to 6
Files:
64c1e6e87f67444dd31d3715f70959d1 720 web optional mahara_0.9.2-2.dsc
401541fb76886fc8f8a94268adce9455 80786 web optional mahara_0.9.2-2.diff.gz
7492598af6b165021bd043dba741eb64 2080280 web optional mahara_0.9.2-2_all.deb
17f60313d3a3f26068faf0e77144933d 7842 web optional
mahara-apache2_0.9.2-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH3wMbScUZKBnQNIYRAhviAJ4gps8WsF7oNj3IeK9OsHllCjXCYACggi9h
0G7URAFeXZX0tqoRT9XvzNk=
=Spnx
-----END PGP SIGNATURE-----
--- End Message ---
