Debian
 » 
Debian Security

Re: [SECURITY] [DSA 1919-1] New smarty packages fix several vulnerabilities

View: New views
1 Messages — Rating Filter:   Alert me  

Parent Message unknown Re: [SECURITY] [DSA 1919-1] New smarty packages fix several vulnerabilities

by Axel Ahrens :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

SHIT

Am 25.10.2009 um 17:24 schrieb Thijs Kinkhorst:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> -  
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1919-1                  security@...
> http://www.debian.org/security/                          Thijs  
> Kinkhorst
> October 25, 2009                      http://www.debian.org/security/faq
> -  
> ------------------------------------------------------------------------
>
> Package        : smarty
> Vulnerability  : several
> Problem type   : remote
> Debian-specific: no
> CVE Id(s)      : CVE-2008-4810 CVE-2009-1669
> Debian Bug     : 504328 529810
>
> Several remote vulnerabilities have been discovered in Smarty, a PHP
> templating engine. The Common Vulnerabilities and Exposures project
> identifies the following problems:
>
> CVE-2008-4810
>
>  The _expand_quoted_text function allows for certain restrictions in
>  templates, like function calling and PHP execution, to be bypassed.
>
> CVE-2009-1669
>
>  The smarty_function_math function allows context-dependent attackers
>  to execute arbitrary commands via shell metacharacters in the  
> equation
>  attribute of the math function.
>
> For the old stable distribution (etch), these problems have been fixed
> in version 2.6.14-1etch2.
>
> For the stable distribution (lenny), these problems have been fixed in
> version 2.6.20-1.2.
>
> For the unstable distribution (sid), these problems will be fixed  
> soon.
>
> We recommend that you upgrade your smarty package.
>
> Upgrade instructions
> - --------------------
>
> wget url
>        will fetch the file for you
> dpkg -i file.deb
>        will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
>        will update the internal database
> apt-get upgrade
>        will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
> Debian GNU/Linux 4.0 alias etch
> - -------------------------------
>
> Source archives:
>
>  http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.14-1etch2.dsc
>    Size/MD5 checksum:      958 f061c466cef93df89e677aeb72101910
>  http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.14.orig.tar.gz
>    Size/MD5 checksum:   144986 9186796ddbc29191306338dea9d632a0
>  http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.14-1etch2.diff.gz
>    Size/MD5 checksum:     4290 0ef9a669c127818f5ff084e2829738e9
>
> Architecture independent packages:
>
>  http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.14-1etch2_all.deb
>    Size/MD5 checksum:   183300 d0ac954aad344f20b5933b09593b2968
>
> Debian GNU/Linux 5.0 alias lenny
> - --------------------------------
>
> Source archives:
>
>  http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20-1.2.dsc
>    Size/MD5 checksum:     1409 f280e2733ef52ff621891f99b26386f3
>  http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20-1.2.diff.gz
>    Size/MD5 checksum:     4876 4d729d18d7efe68e1ce3023149436c01
>  http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20.orig.tar.gz
>    Size/MD5 checksum:   158091 35f405b2418a26a895302a2ce5bf89d2
>
> Architecture independent packages:
>
>  http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20-1.2_all.deb
>    Size/MD5 checksum:   204412 1e8e85b298b97176359dd15731e0dc88
>
>
>  These files will probably be moved into the stable distribution on
>  its next update.
>
> -  
> ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/
> updates/main
> Mailing list: debian-security-announce@...
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/ 
> <pkg>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iQEcBAEBAgAGBQJK5HuJAAoJECIIoQCMVaAc41oH/iXgblL5cfzH4wujl26DrEmd
> 8ivwmMDdRzd6zio60VtRgbLFfDa1nvByavfJYbJSgjkphbf4qXMxNVVRxp0z9laT
> fg7gkytG9KXXiqvhxz8NrzCGg7v0jmOorATYCamFEUgKg9d+sXy2/bIpO3xN1txU
> Wvub7/q3n8DUg3go7kPMCC5euzaB0Fs0fq6zzWuRcKW640bMiOyNq6n/kvTICv3x
> 4Yv+PIj1KbXgz/R45+QtyQGibJzj3XWTL5DpRNe1fH8uUQ4sqKCyKDsaayrOXa0w
> Y0wkZ3IEmbOpe1UmUB57kAVSzfRAicFOGRJmXunni/tBs2ivBL27P7F/dMKYAQg=
> =EBks
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@...
> with a subject of "unsubscribe". Trouble? Contact listmaster@...
>

--
<e>werk, Gesellschaft für neue Medien mbH
Langenstr. 75, D-28195 Bremen
Registergericht Bremen - HRB 18561
Geschäftsführung: Dipl.-Ing. Jens Zippel
Phone: +49 (0)421 33513-60
Fax: +49 (0)421 33513-65
e-mail: office@...
http://www.ewerk.de

Axel Ahrens, e-mail: ahrens@...
Phone: +49 (0)421 33513-82


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Free embeddable forum powered by Nabble Forum Help