Your message dated Thu, 12 Jun 2008 15:32:58 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#471160: fixed in gallery2 2.2.5-1
has caused the Debian Bug report #471160,
regarding ships embedded copy of smarty with security bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
471160: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471160
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: gallery2
Severity: grave
Tags: security patch
Hi,
A security issue has been discovered in Smarty which is also shipped as part
of Gallery 2:
| The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
| by Serendipity (S9Y) and other products, allows attackers to call
| arbitrary PHP functions via templates, related to a '0' character in
| a search string.
Please see the original bug in Smarty here: #469492. The patch is very
straigtforward.
The right solution here is to not ship Smarty as part of Gallery but make use
of the smarty package that is already in the archive, because the security
team now has to issue multiple DSA's for this single issue which is obviously
problematic.
Could you please take the following actions:
* To address this bug for lenny and sid, please prepare a version of Gallery
that works with the archive version of smarty;
* For sarge and etch, please prepare updated packages addressing this bug and
please assess and fix the following unaddressed security issues in gallery2
in etch: http://security-tracker.debian.net/tracker/source-package/gallery2
thanks,
Thijs
pgpjtmISubcm7.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: gallery2
Source-Version: 2.2.5-1
We believe that the bug you reported is fixed in the latest version of
gallery2, which is due to be installed in the Debian FTP archive:
gallery2_2.2.5-1.diff.gz
to pool/main/g/gallery2/gallery2_2.2.5-1.diff.gz
gallery2_2.2.5-1.dsc
to pool/main/g/gallery2/gallery2_2.2.5-1.dsc
gallery2_2.2.5-1_all.deb
to pool/main/g/gallery2/gallery2_2.2.5-1_all.deb
gallery2_2.2.5.orig.tar.gz
to pool/main/g/gallery2/gallery2_2.2.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael C. Schultheiss <[EMAIL PROTECTED]> (supplier of updated gallery2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 12 Jun 2008 14:42:21 +0000
Source: gallery2
Binary: gallery2
Architecture: source all
Version: 2.2.5-1
Distribution: unstable
Urgency: low
Maintainer: Michael C. Schultheiss <[EMAIL PROTECTED]>
Changed-By: Michael C. Schultheiss <[EMAIL PROTECTED]>
Description:
gallery2 - web-based photo album written in PHP
Closes: 471160 479581 483879 485947
Changes:
gallery2 (2.2.5-1) unstable; urgency=low
.
* New upstream release (Urgency high due to security fixes.
Closes: #485947)
+ Fix smarty bug (Closes: #471160)
* Update Galician translation of debconf templates (Thanks to
Jacobo Tarrio. Closes: #483879)
* debian/control:
+ Demote database servers from Recommends to Suggests (Closes: #479581)
Checksums-Sha1:
639d62388c12df5ce7f60eac5082cbe152d39ac4 993 gallery2_2.2.5-1.dsc
713cf3c75a5963919802a63e730b8db9e2e16bbd 11908434 gallery2_2.2.5.orig.tar.gz
4bc6a69ecfe0d523c79c652da3ef7ac5a43ba3f6 22489 gallery2_2.2.5-1.diff.gz
eb6b7b85527512df101a46d47f40827f373011c0 12155962 gallery2_2.2.5-1_all.deb
Checksums-Sha256:
f7a53a445eaafc8f06bcbe774bdf7799b05d38710620c139231b3c3f7cc651c1 993
gallery2_2.2.5-1.dsc
84969599bd3745c49c036a6e5261c5c563b0bb6cb49a938f9a9ff120637a5fc6 11908434
gallery2_2.2.5.orig.tar.gz
3b7759644172a82159409528919efa44aafb6bbce4eff54237aaffcec7e9ef68 22489
gallery2_2.2.5-1.diff.gz
9840652035eea2ca032409709701a6010e0cbc2efd5d0fd0ff531ad9baf34e1f 12155962
gallery2_2.2.5-1_all.deb
Files:
57d8260f80b163aafaec620b87b21cea 993 web optional gallery2_2.2.5-1.dsc
ddb405539cb89bd034b72a5b76845bfb 11908434 web optional
gallery2_2.2.5.orig.tar.gz
f565463e802d63095e4c3777fce61909 22489 web optional gallery2_2.2.5-1.diff.gz
c708ff0a01812071a94615c22dcfa2d5 12155962 web optional gallery2_2.2.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIUTx/yJBzD6P54w4RAhHAAJ9qHF6wglGGLijJsWI+3+W8Em6GSACfRMvU
0ldh+eJSo+tBzVUwglDUCdA=
=QSZK
-----END PGP SIGNATURE-----
--- End Message ---
