Your message dated Tue, 15 Oct 2024 10:20:33 +0000
with message-id <e1t0efj-00870x...@fasolo.debian.org>
and subject line Bug#1072529: fixed in smarty4 4.5.4-1
has caused the Debian Bug report #1072529,
regarding smarty4: CVE-2024-35226
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072529: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072529
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: smarty4
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for smarty4.
CVE-2024-35226[0]:
| Smarty is a template engine for PHP, facilitating the separation of
| presentation (HTML/CSS) from application logic. In affected versions
| template authors could inject php code by choosing a malicious file
| name for an extends-tag. Sites that cannot fully trust template
| authors should update asap. All users are advised to update. There
| is no patch for users on the v3 branch. There are no known
| workarounds for this vulnerability.
https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2
(support/4)
https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a
(v5.2.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-35226
https://www.cve.org/CVERecord?id=CVE-2024-35226
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: smarty4
Source-Version: 4.5.4-1
Done: Mike Gabriel <sunwea...@debian.org>
We believe that the bug you reported is fixed in the latest version of
smarty4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1072...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated smarty4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 15 Oct 2024 10:31:20 +0200
Source: smarty4
Architecture: source
Version: 4.5.4-1
Distribution: unstable
Urgency: medium
Maintainer: Mike Gabriel <sunwea...@debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Closes: 1072529
Changes:
smarty4 (4.5.4-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2024-35226: Prohibit versions template authors being able to inject
PHP code by choosing a malicious file name for an extends-tag. (Closes:
#1072529).
* debian/watch:
+ Only watch smarty 4.x versions.
Checksums-Sha1:
122c3ce3a67506b1788821721c63287faf52353f 1973 smarty4_4.5.4-1.dsc
7ff0896d04ff36f15c8e29202d9d07b54dad8b33 363218 smarty4_4.5.4.orig.tar.gz
0556393cdaae4494034b5da7905848f4262b8404 9140 smarty4_4.5.4-1.debian.tar.xz
e9aa9974820c076815291d3b14e818ee2f6164cc 7121 smarty4_4.5.4-1_source.buildinfo
Checksums-Sha256:
39c144b35b603a60e066b88829bb79a5d15fec5f031eab71339fec199310644f 1973
smarty4_4.5.4-1.dsc
3bb1d7fded2f24659740db80eba76aa7fa8868a8f6d00034d1e8483da4a19b6e 363218
smarty4_4.5.4.orig.tar.gz
8ca43bd5bbdcfbc28061c7194c47cc2df468d605f964cf3be778b7f4ad1a5290 9140
smarty4_4.5.4-1.debian.tar.xz
f4445853c849e70ef10d1fb42901dbc33eba4ea563232bc3e609e0758e6a742c 7121
smarty4_4.5.4-1_source.buildinfo
Files:
3b73e6acc079fcf56cb19d7614143f7e 1973 web optional smarty4_4.5.4-1.dsc
a927a007a528a31d5439a0c24bbca6b3 363218 web optional smarty4_4.5.4.orig.tar.gz
520ad804f3960811d3a4ce40efa4598a 9140 web optional
smarty4_4.5.4-1.debian.tar.xz
6dbf798da2bf462317484b781d81b014 7121 web optional
smarty4_4.5.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmcOKR0VHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxP+oP/RgMQlxpyA3A+CGOoTnVKnsoyp0c
AadV3hCGPYwGqQZ/uuG8/gtSg8ZW78x6p6O+wa+jPvM42YYRALXbtrOeP4uaio7Z
K5guIi1M/S7G+jLBVnQ6FpA+CiGMNc7cOJTaJWv/lu5QYcCxcs1xbWQXEIBUXOHy
bhG/edwmOub6DSp7WokgVa+FaLpk59vQF4bN6H2w6CTX8olbWQEVnfg36DLa8hue
vnhztrFjTZALKgo3VgNRg7jkPwrfQFFQF1qaW7xB8l5LmJsQ8jvXYU31BA2NeDeM
A93fICoHOOVcnnCWZ49XguEt964dFHAXtadsthTHix3Hw3W3Ot0SZ8lE7SiTEovw
UB1b5Q2rVK0ZVzMVKdTuB+IUtwmJha6hYNW/tAMQdXnPT6Xd90Ct1CvGuKNfIjtH
/UiJ/es7Tp29swlR4xzruMNphgAYluJApVjihuqLXrem7qTnX+Iy1cL+39KnKDNk
sedMxQC8P2wpHOzgMdDKASDqCps1JW3d3P8wmMTyW6V2OI4bqWjhV8ggw48xmsuo
X7Yt838DVeKtPKj1Y7D6gaFYSnNpa1ALOyy317bfi57rs1A98rU0Mb7la0HVMBQL
fcyUPLnMMe4uDx1297RVe9lyKxL0uIf9eoGmZCb3DEEblas20ebzO4LGti2g7Uys
uUQSS11GQ5dp2Fch
=ozZ5
-----END PGP SIGNATURE-----
pgpGYxrxe5k19.pgp
Description: PGP signature
--- End Message ---
