Your message dated Thu, 12 Dec 2024 10:32:30 +0000
with message-id <e1tlgug-00fjiy...@fasolo.debian.org>
and subject line Bug#1072530: fixed in smarty3 3.1.47-2+deb12u1
has caused the Debian Bug report #1072530,
regarding smarty3: CVE-2024-35226
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072530
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: smarty3
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for smarty3.
CVE-2024-35226[0]:
| Smarty is a template engine for PHP, facilitating the separation of
| presentation (HTML/CSS) from application logic. In affected versions
| template authors could inject php code by choosing a malicious file
| name for an extends-tag. Sites that cannot fully trust template
| authors should update asap. All users are advised to update. There
| is no patch for users on the v3 branch. There are no known
| workarounds for this vulnerability.
https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2
(support/4)
https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a
(v5.2.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-35226
https://www.cve.org/CVERecord?id=CVE-2024-35226
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: smarty3
Source-Version: 3.1.47-2+deb12u1
Done: Tobias Frost <t...@debian.org>
We believe that the bug you reported is fixed in the latest version of
smarty3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1072...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <t...@debian.org> (supplier of updated smarty3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 06 Dec 2024 14:39:32 +0100
Source: smarty3
Architecture: source
Version: 3.1.47-2+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Mike Gabriel <sunwea...@debian.org>
Changed-By: Tobias Frost <t...@debian.org>
Closes: 1033964 1072530
Changes:
smarty3 (3.1.47-2+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2023-28447 - JavaScript injection (Closes: #1033964)
* CVE-2024-35226 - PHP Code injection by untrusted template authors
(Closes: #1072530)
* Add simple autopkgtests for the three CVEs.
Checksums-Sha1:
2cafd5b943cc99d10cbf684eba1e0b673840a8ef 2009 smarty3_3.1.47-2+deb12u1.dsc
70ca3a4b318f0766e73cd7cdd1d8078f1b0cd5c8 266736 smarty3_3.1.47.orig.tar.gz
7fab9b782643ac81770db40ebb06ae4f7166eab9 10220
smarty3_3.1.47-2+deb12u1.debian.tar.xz
6821a8e5638834c8bf1af3ec28abb858dd6a17d8 6609
smarty3_3.1.47-2+deb12u1_amd64.buildinfo
Checksums-Sha256:
7880dd1f3e805f494cfd5fc05c474276a28020d6aec4da6da910a6d20a3e06ff 2009
smarty3_3.1.47-2+deb12u1.dsc
c38db4b6be9891dd6f20c5d96f475c4539e310bb67a0e2aad7d6d585f14c8be0 266736
smarty3_3.1.47.orig.tar.gz
ab94b09b710f274ef5539faef71548d406da1d6baaa58bb3cf5885b38cd6a73f 10220
smarty3_3.1.47-2+deb12u1.debian.tar.xz
478460db50985978de4dbbab516092bf074ea05b3098711c3e2c5e72509f731c 6609
smarty3_3.1.47-2+deb12u1_amd64.buildinfo
Files:
2b34e477be3f9f246a329a7bb4e64b67 2009 web optional smarty3_3.1.47-2+deb12u1.dsc
d1a27eb9553a61758d76edc589dc4a8c 266736 web optional smarty3_3.1.47.orig.tar.gz
0914596d0448be3b7162f6653c26781a 10220 web optional
smarty3_3.1.47-2+deb12u1.debian.tar.xz
0be6a952719dc3de1f9d70aa85209dfb 6609 web optional
smarty3_3.1.47-2+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmdS//AACgkQkWT6HRe9
XTZC+w//S2evUu//eoVFNQXA8AL9OLLbbfU4pwyiroJqpJ9VcCEUS/JbIhwaPMxd
uR9Mk7q2Aaxk8urHTS+21fH/W69crl/qQZs8QvP1BiiiHU/bNv7Vt1N68SiHMa1E
py+9PwLiWobYE59gJ5K36a+xZ4GkOYhtBKD02sUe4lg9MvMgbqQSN7iosLcvArvY
0roH0htFp4/Hzgh7Vpj1cPtyIMEB9C6GSkyWWbfPANNK6ubtoQA3O+xIpNthMdvF
9O8oStGUA8GxUR/u4fJDaUKMolhnUKll5+C8x6dG4x2zXJJRCTTTYrQjDauV+8oT
haPA6eXyi5vZh658VpVqJMGzCsRxuiiUImuhdu/f+JcyVsh38QyebrBsw1TllRTK
BtFw7fzCxoi605Gu1d7q9FnslBWewhNKDDlFgozDAv3k0wZeZ2MJvFL0tyDTC0P5
sRcC8y32ixduoGjOvU+GKzTGFld22zE77vVhodcQjodInEdKg79dEOnFsLlBGcRP
qKxK29X3zBKzD2rUXO1WSxFsFNj7EowQ5HWwUincXbEl8fcS9xQwBNNwiWVwumvz
s6P+bpTQ+MGP1RlYr22F6M4hUbX9sX3GOaoCJTupOVoTR2an2dqe7IpWEzAQXC6/
0Z4FYufK3cW0k5ZBVIXl7uMar97poALm3gTM6Jf2UajJa4SRGGY=
=jhgf
-----END PGP SIGNATURE-----
pgpg5IBABNUh2.pgp
Description: PGP signature
--- End Message ---
