[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#703482: pu: package smarty/2.6.26-1



On Wed, 2013-03-20 at 17:06 +0900, Hideki Yamane wrote:
>  I'd like to upload smarty package to fix CVE-2012-4437.
>  Security team suggest me to upload it to s-p-u.
>  Please check attached debdiff.

+smarty (2.6.26-1) stable-proposed-updates; urgency=high

2.6.26-0.2+squeeze1 would be more conventional.

+  * QA upload.
+  * add debian/patches/avoid_possible_script_execution_from_2.6.27.patch
+    - CVE-2012-4437: cherry picked from upstream, prevent XSS (Closes: #702710)
+      Thanks to Yoshinari Takaoka <mumumu@mumumu.org> for the report.

The fix for the XSS looks fine, but:

diff -Nru smarty-2.6.26/debian/source/format smarty-2.6.26/debian/source/format
--- smarty-2.6.26/debian/source/format  1970-01-01 09:00:00.000000000 +0900
+++ smarty-2.6.26/debian/source/format  2013-03-10 22:31:20.000000000 +0900
@@ -0,0 +1 @@
+3.0 (quilt)

Definitely not in a stable update.

Regards,

Adam


Reply to: