Hi all,I have just looked at what it needs to fix CVE-2014-8350 for smarty3 [1]. Unfortunately, the fix [2] from between 3.1.20 and 3.1.21 is not trivial to backport to wheezy's 3.1.10 version.
The packages that depend on smarty3 in Debian wheezy are these: o gosa + its plugins o slbackup-php o collabtiveMy recommendation 1 for wheezy and wheezy-lts is to continue providing support for smarty3 (as Debian Edu uses gosa and slbackup-php and I know various wheezy based installations of Debian Edu).
My recommendation 2 for wheezy-lts (or even wheezy-security) is to take smarty3 3.1.21-1 from Debian jessie and provide that on Debian wheezy.
From experience, I think to remember that gosa and slbackup-php from wheezy work fine with smarty3 3.1.21. However, if feedback from the security team and other LTS contributors reaches a consensus to go the version bump path, I would of course set up gosa and slbackup-php for being really sure on what I remember.
Furthermore, I would set up a test instance of collabtive on wheezy, as well and check its functionality.
Greets, Mike [1] https://security-tracker.debian.org/tracker/CVE-2014-8350[2] https://github.com/smarty-php/smarty/commit/279bdbd3521cd717cae6a3ba48f1c3c6823f439d.patch
-- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
Attachment:
pgp3FF1Elm5sh.pgp
Description: Digitale PGP-Signatur