Debian Bug report logs -
#688153
[CVE-2012-4437] XSS in Smarty exception messages
Reported by: Luciano Bello <luciano@debian.org>
Date: Wed, 19 Sep 2012 20:57:01 UTC
Severity: grave
Tags: patch, security
Fixed in version smarty3/3.1.10-2
Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Bug#688153; Package smarty3.
(Wed, 19 Sep 2012 20:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.
(Wed, 19 Sep 2012 20:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: smarty3
Severity: grave
Tags: security patch
The following vulnerability has been reported against smarty.
http://seclists.org/oss-sec/2012/q3/508
The link include a patch too.
Smarty 2 http://packages.qa.debian.org/s/smarty.html doesn't look affected,
since the vulnerable code is not present. Can you confirm that?
Cheers, luciano
Changed Bug title to '[CVE-2012-4437] XSS in Smarty exception messages' from 'XSS in Smarty exception messages'
Request was from Luciano Bello <luciano@debian.org>
to control@bugs.debian.org.
(Thu, 20 Sep 2012 19:15:08 GMT) (full text, mbox, link).
Reply sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
You have taken responsibility.
(Mon, 24 Sep 2012 14:51:03 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer.
(Mon, 24 Sep 2012 14:51:04 GMT) (full text, mbox, link).
Message #12 received at 688153-close@bugs.debian.org (full text, mbox, reply):
Source: smarty3
Source-Version: 3.1.10-2
We believe that the bug you reported is fixed in the latest version of
smarty3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 688153@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <mike.gabriel@das-netzwerkteam.de> (supplier of updated smarty3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 22 Sep 2012 21:32:58 +0200
Source: smarty3
Binary: smarty3
Architecture: source all
Version: 3.1.10-2
Distribution: unstable
Urgency: low
Maintainer: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Changed-By: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Description:
smarty3 - Template engine for PHP
Closes: 688153
Changes:
smarty3 (3.1.10-2) unstable; urgency=low
.
* Fix CVE-2012-4437: Add patch 001_escape-smarty-exception-messages.patch.
Closes: #688153.
Checksums-Sha1:
58d631101f2d3f00ca7395aa40553acbed0d21d8 1865 smarty3_3.1.10-2.dsc
49ea738632c82fb5d0239385828e5091e48d6ed2 4303 smarty3_3.1.10-2.debian.tar.gz
7d4ddaaaee8d3c71ff94b1abc27f01d7f66da418 206746 smarty3_3.1.10-2_all.deb
Checksums-Sha256:
61f1a223b76f5da9695e2d3d73f04f39bf6c6d5e6d1da234b78bb5c41e9319e2 1865 smarty3_3.1.10-2.dsc
0719632b8bf234a452847d4071c41e0e3b9bebc87c351c1da87fbdf5db969aaa 4303 smarty3_3.1.10-2.debian.tar.gz
3052b75bda673972f488ab46da7f60fb5f0817f946e453492578215aa1044ded 206746 smarty3_3.1.10-2_all.deb
Files:
21fad89603ba08914e2c7bfa6ae474f6 1865 web optional smarty3_3.1.10-2.dsc
3a25b88800abd5c272d1f98a18f1f85c 4303 web optional smarty3_3.1.10-2.debian.tar.gz
c2a2ab540f46600681b62310b2dddb69 206746 web optional smarty3_3.1.10-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQYG+kAAoJEKtkX0BihqfQrCQQAIeJMa4uJcZEd4Oib8siP0Nt
lFCCspMsMAq5O9rcU+xrqJUh+Es4PY6osrJe0UL5eoKSQRlp+LcMCHDRQW9mITaM
lI3XYSLaHkOjshwHfVgC544dHiOdt9BVqMNge656/yhzi/qVq+f09+rtTxXv/VFU
cGUnz26XrH+47m2LBR4Llkz2seuvcAnwEagnyIB0Q3LeDs/yvhzFO+IxSShhihtx
SEyxZxWZcYe2jJg8gclsAOAdyG+V+i/DBiCzHR3Wabu45DBsP+wiZRNHT8OktsRq
Msh+PjtyqVRNhFoqGaQQCXXxFrTChtsVmMBOygGIrnCLyGorgRW5umK6Aco09jdX
ejJl9su25R+s/ccizQZ5i4kxmYzRfKzQ3Hg44pvr6TCpixU9JUlHMy97ONw2HWeg
5meLmI2v1HR0SB3oOzCIzfgO/HKdopH6CwGlriG2Q8iwrG/05VsyOcAs7mBd3inF
km4HHDFbVmzsnkPzitIiiXluttUjN+E0SvKOO0TDtEPmbDha5Y3ElXQ3VyJt9dzn
eKZEQdUGUR+U4f9c6+9XiksDOyG9GI1HqPo+T1Fwbro/c5WirGb8DYnvaW2VUIwC
NghFVjYFxHT2iGYBZHS5VZkXqSwYf/4gkyu+/Cb0njCnyCfOfKDd120dqKJCA704
Z4C34sE1dpEOUO1XRcWF
=LFi4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 08:01:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:55:06 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon