Your message dated Mon, 30 May 2022 06:50:05 +0000
with message-id <e1nvze5-0006fk...@fasolo.debian.org>
and subject line Bug#1011758: fixed in smarty3 3.1.45-1
has caused the Debian Bug report #1011758,
regarding smarty3: CVE-2022-29221 - template authors can inject php code by
choosing malicious filenames
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1011758: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011758
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: smarty3
Version: 3.1.39-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: codeh...@debian.org, Debian Security Team
<t...@security.debian.org>
Hi,
The following vulnerability was published for smarty3.
CVE-2022-29221[0]:
| Smarty is a template engine for PHP, facilitating the separation of
| presentation (HTML/CSS) from application logic. Prior to versions
| 3.1.45 and 4.1.1, template authors could inject php code by choosing a
| malicious {block} name or {include} file name. Sites that cannot fully
| trust template authors should upgrade to versions 3.1.45 or 4.1.1 to
| receive a patch for this issue. There are currently no known
| workarounds.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-29221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.17.0-2-amd64 (SMP w/6 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: smarty3
Source-Version: 3.1.45-1
Done: Mike Gabriel <sunwea...@debian.org>
We believe that the bug you reported is fixed in the latest version of
smarty3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1011...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated smarty3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 30 May 2022 08:24:30 +0200
Source: smarty3
Architecture: source
Version: 3.1.45-1
Distribution: unstable
Urgency: medium
Maintainer: Mike Gabriel <sunwea...@debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Closes: 1011758
Changes:
smarty3 (3.1.45-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2021-21408: Prevent template authors from running restricted static
php methods. (see smarty4 bug #1010375).
- CVE-2021-29454: Prevent template authors from running arbitrary PHP code
by crafting a malicious math string. (see smarty4 bug #1010375, as well).
- CVE-2022-29221: Prevent template authors from injecting PHP code by
choosing malicious filenames. (Closes: #1011758).
* debian/watch:
+ Only watch 3.x versions of Smarty.
* debian/control:
+ Bump Standards-Version: to 4.6.1. No changes needed.
* debian/copyright:
+ Update copyright attributions.
Checksums-Sha1:
63ceee77103b035d6f069c36e24d7172d4bd72dc 1980 smarty3_3.1.45-1.dsc
5125692feefb89d40e5a08ea586d22a2b1e21c0d 265781 smarty3_3.1.45.orig.tar.gz
4c25d3866cf57a4863f765a5ec617842457b051a 5780 smarty3_3.1.45-1.debian.tar.xz
1103fce3b88174d4b4669176d63bb655981d2823 6780 smarty3_3.1.45-1_source.buildinfo
Checksums-Sha256:
19dae472ffbc91d1834036fce8b9f5862e479f83e8c737b72562e817b1947da9 1980
smarty3_3.1.45-1.dsc
4e8dcc8b52ea097b93d32aa432cb552547568ae328505d25af078d63354a9a83 265781
smarty3_3.1.45.orig.tar.gz
c4edf77410cae38bf829f0a90ee1f7fb18d62b6386101e851450eb9abd07a8b7 5780
smarty3_3.1.45-1.debian.tar.xz
b86b89e55e7eccfe82ec1f9f751ae079694aef9fa542908b6926dfe59284c358 6780
smarty3_3.1.45-1_source.buildinfo
Files:
266cff1a53aca7cb2e77ffa9a2d8b007 1980 web optional smarty3_3.1.45-1.dsc
c1b5d7acb43485c43973f0fb1e0d64c6 265781 web optional smarty3_3.1.45.orig.tar.gz
8ebcbddef610a7961748465ee462bf29 5780 web optional
smarty3_3.1.45-1.debian.tar.xz
2ec7321bf307044062d4b38b77e16568 6780 web optional
smarty3_3.1.45-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmKUY7gVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxwIEP/2WPOapeZS4HKe/PQxq4olraSljS
PYc6fCzOgJQSJ8S/Yh+IuCFS63bXTbQsJ3W2D9HY6mPthazDUSXq8sexQnGULR8l
E7JVtJzCR4zkvuD2/r4yuN7fl8LGvIci5uFJ1OkIXls1scMnKxwMGJnkM7AYPmsj
6sEYqkUbXCfOFzQSFfUcSbv8kBigzTRgfaqxCuFpLI1S8oNsUWsWH5MICBIBBcRL
oR16HcacKVPmAolm5YhuoeePVy55pBijFFApc8NAJrytcy1We1uNVlO+o77LoDzi
9UJgyhow300zCaIidqByyxBZah0k9stmA90E70thFSQoiVazLoNGLvV8uUMj5Df2
MQTEB1wIbOw1QjPJQneTaPcjusywtA5NEnWETAFai70VNC61qf2XCsfq3E4q/Y5V
f25l9SBLtYjTu1hDeHS1GGopklNX/ZqZXkEH9T0RcqiYnLt5GnoDH+aPvCg+urwn
iKgZZHyRWkTsJY5uQDlQulcgXekBLcrxClx7EmLJqpOrQeV7414vKCZYX7VJuwSO
M7Xl7N0v5fCZAbRsJvckZCwM1lliyhfjca6y9NF75dcMFiCxME8hAwTooc76gd+V
6G9jvfhHWHHqdxUE3HupChGV9lBUVRpYHz8/T3nfDJMdL1yCpA54zJF+53dBU5HN
M6QEO3nj20bxsU7E
=gA49
-----END PGP SIGNATURE-----
--- End Message ---
