[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

maintainer feedback on CVE-2014-8350 (smarty3)

Hi all,

I have just looked at what it needs to fix CVE-2014-8350 for smarty3 [1]. Unfortunately, the fix [2] from between 3.1.20 and 3.1.21 is not trivial to backport to wheezy's 3.1.10 version.

The packages that depend on smarty3 in Debian wheezy are these:

  o gosa + its plugins
  o slbackup-php
  o collabtive

My recommendation 1 for wheezy and wheezy-lts is to continue providing support for smarty3 (as Debian Edu uses gosa and slbackup-php and I know various wheezy based installations of Debian Edu).

My recommendation 2 for wheezy-lts (or even wheezy-security) is to take smarty3 3.1.21-1 from Debian jessie and provide that on Debian wheezy.

From experience, I think to remember that gosa and slbackup-php from wheezy work fine with smarty3 3.1.21. However, if feedback from the security team and other LTS contributors reaches a consensus to go the version bump path, I would of course set up gosa and slbackup-php for being really sure on what I remember.

Furthermore, I would set up a test instance of collabtive on wheezy, as well and check its functionality.


[1] https://security-tracker.debian.org/tracker/CVE-2014-8350
[2] https://github.com/smarty-php/smarty/commit/279bdbd3521cd717cae6a3ba48f1c3c6823f439d.patch

mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgp3FF1Elm5sh.pgp
Description: Digitale PGP-Signatur

Reply to: