Bug#703482: pu: package smarty/2.6.26-1
On Wed, 2013-03-20 at 17:06 +0900, Hideki Yamane wrote:
> I'd like to upload smarty package to fix CVE-2012-4437.
> Security team suggest me to upload it to s-p-u.
> Please check attached debdiff.
+smarty (2.6.26-1) stable-proposed-updates; urgency=high
2.6.26-0.2+squeeze1 would be more conventional.
+ * QA upload.
+ * add debian/patches/avoid_possible_script_execution_from_2.6.27.patch
+ - CVE-2012-4437: cherry picked from upstream, prevent XSS (Closes: #702710)
+ Thanks to Yoshinari Takaoka <mumumu@mumumu.org> for the report.
The fix for the XSS looks fine, but:
diff -Nru smarty-2.6.26/debian/source/format smarty-2.6.26/debian/source/format
--- smarty-2.6.26/debian/source/format 1970-01-01 09:00:00.000000000 +0900
+++ smarty-2.6.26/debian/source/format 2013-03-10 22:31:20.000000000 +0900
@@ -0,0 +1 @@
+3.0 (quilt)
Definitely not in a stable update.
Regards,
Adam
Reply to: