[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 4094-2] smarty3 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4094-2                   security@debian.org
https://www.debian.org/security/                                         
January 30, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : smarty3
CVE ID         : CVE-2017-1000480
Debian Bug     : 886460

Côme Chilliet from the FusionDirectory team detected a regression in the
previously issued fix for CVE-2017-1000480. This regression only affects
the Jessie version of the patch. For reference, the relevant part of the
original advisory text follows.

It was discovered that Smarty, a PHP template engine, was vulnerable to
code-injection attacks. An attacker was able to craft a filename in
comments that could lead to arbitrary code execution on the host running
Smarty.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.1.21-1+deb8u2.

We recommend that you upgrade your smarty3 packages.

For the detailed security status of smarty3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/smarty3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlpwrI8ACgkQbsLe9o/+
N3S2ThAAoTIBEBY7C7wZyHe00TMijKJh5Hjxtz7ApEzctO3+I8WCSm+90onW8W/J
W7+7eI9pNaVhWeK6yreO2rq/4qYMQvR2AJhA5L39k0JYQbTIIaCMSUXoCQ5ueP6X
IbXdlihcSFKxNpfqXZRBfg2M0k86RzUpIS1A4IJYpl4/pWG549JpXsoLxb9l/YgH
v81km+PA3SMXmkhZ7pfE/pQ/956hGCjd+qIRVkKdakZx+paxE6y24ltr2CGteQaN
IugRK0Fx7K9QhZrfsy6IrcoRn9Kz6QGStPJLNvV2doeM+ZUy7mT8sLHpIaEeu8U0
WElCxM8GAf9hfIYcrx1yAPV0KVj73HGluFeMTzijg7NtIb0fKTB/3i8uhN0Gw7MG
AftCzH5PHPiQj7PtcZOXBwQQssLaQzGRSCG5KgNiiAg27kwvYOcyhK6FtMmMcqjK
wF8M5mckuiCiqDSM4nuXrqiRt0viZkaLY2hIni09r0PaGIUKvQso1I/+X3QT3Bdr
6AzBgQxegCrZn9peduGCt8u1HS0jQH3X3rygptr33vtT6KerfgfehzCBFKQxhZJf
b1lGdABJyiLBqQlMNoFIML9TKcLSN4kfUn5gBhcdPVR8XykHLgSycnBww/2GK3dY
Vs5KGL+QhJ4CWPr0oSpypX0Upd+KL/0okGAaYcMLJw97VhNk2pE=
=r8LY
-----END PGP SIGNATURE-----


Reply to: