Your message dated Sun, 17 Nov 2024 10:50:21 +0000
with message-id <e1tccrf-00d1vb...@fasolo.debian.org>
and subject line Bug#1072530: fixed in smarty3 3.1.48-2
has caused the Debian Bug report #1072530,
regarding smarty3: CVE-2024-35226
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072530
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: smarty3
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for smarty3.
CVE-2024-35226[0]:
| Smarty is a template engine for PHP, facilitating the separation of
| presentation (HTML/CSS) from application logic. In affected versions
| template authors could inject php code by choosing a malicious file
| name for an extends-tag. Sites that cannot fully trust template
| authors should update asap. All users are advised to update. There
| is no patch for users on the v3 branch. There are no known
| workarounds for this vulnerability.
https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2
(support/4)
https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a
(v5.2.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-35226
https://www.cve.org/CVERecord?id=CVE-2024-35226
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: smarty3
Source-Version: 3.1.48-2
Done: Tobias Frost <t...@debian.org>
We believe that the bug you reported is fixed in the latest version of
smarty3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1072...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <t...@debian.org> (supplier of updated smarty3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 17 Nov 2024 11:03:04 +0100
Source: smarty3
Architecture: source
Version: 3.1.48-2
Distribution: unstable
Urgency: medium
Maintainer: Mike Gabriel <sunwea...@debian.org>
Changed-By: Tobias Frost <t...@debian.org>
Closes: 1072530
Changes:
smarty3 (3.1.48-2) unstable; urgency=medium
.
[ Tobias Frost ]
* Team upload.
* CVE-2024-35226 - PHP Code injection by untrusted template authors
(Closes: #1072530)
* Add simple testsuite to check against some CVEs.
.
[ Debian Janitor ]
* Set upstream metadata fields: Security-Contact.
* Remove unnecessary get-orig-source-target.
Checksums-Sha1:
6dd1b10fe2b8a3cdd52027775f76241520368a7c 1974 smarty3_3.1.48-2.dsc
6e4cca729a054ba30e6b84a1bd1cf922295138f1 9576 smarty3_3.1.48-2.debian.tar.xz
ba1549361bb9514e49949107edcf55ff205371ae 6477 smarty3_3.1.48-2_amd64.buildinfo
Checksums-Sha256:
3c38ea0c4addd5a8e1b0cae981fa51528749f688985c4b3ad238095d829c9edf 1974
smarty3_3.1.48-2.dsc
0e3bf69dfacd1c7e1bf448138b903c9aa9f8aa996bd9671f539e496682310f48 9576
smarty3_3.1.48-2.debian.tar.xz
a658d7e471e890ee19a55e857bddac5723e9f1423d45a7b5063dd6c8764a027e 6477
smarty3_3.1.48-2_amd64.buildinfo
Files:
d39f09b9647ad03da5efaf0a561e2c92 1974 web optional smarty3_3.1.48-2.dsc
ab0782b427819e75e7b7de1bd1285248 9576 web optional
smarty3_3.1.48-2.debian.tar.xz
698130286e2d50cbc98e2a4d9b8fbb59 6477 web optional
smarty3_3.1.48-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmc5xzAACgkQkWT6HRe9
XTZ7fBAA3HWHaHrJa4VRd7EAk8VnxQ9q7voAYOOVituVJP6Io8kjsG0WdEaCz64M
YCViXJQPvhqjFxgqdrLI62tLID43DLeiu871FyUHk9Fht+PP4q32PnJlqeGDm2CK
7Z3iiawwDJbkp4n0Aht9Bgw4UNcBd2zvi46/6sLt8se7EW6/gKMHr3AmCvotvNn7
kKk+/ucFJwFbcaVrv+EhH9FZsKsUyD0FFjaJgalokdmbanAwjyLPaz+nJSTRMDxp
IpQh9QPuGKo2VhCvCAztBl19Jy2dVuXkp7cvoztSwhiVab1H+l76HakKGrVIfQLW
0aRaYSHiZaM+smVAY7cpyHAS0MDfl5McA6Kk+yEyJtLHR5mHMegQTS1adVSYG0At
qIkWFHl1O/pSN3PVsRYSfo12LVMogHhIPDqwS0OvBy43qP45RyRNv5cgWHqtDkUt
YmyC5U54JWHQrSaC8qpcnGmbGU9zn8vM8ZRNW10ZkVkrUO8OL3R/qST0sp0w+3ma
TiVUnrcrN3Vf75NvOmHi4ylbbUI3qJjWhRIbEv11vFZtgWeqBiBeTcjB4vMJW652
wHVJbb9O0MLTufevJZlLWqpWjb6WGedOfI+dYU/UPD55gyawJVUrTdkfJBVeHIs8
RRbLqFdJ0buvhgNPKQcONJgcwLOzea3tklhIVQks0YbIuWt3MWo=
=esDJ
-----END PGP SIGNATURE-----
pgp95TLbeqyPQ.pgp
Description: PGP signature
--- End Message ---
