Debian: DSA-1919-2: New smarty packages fix regression
Summary
Several remote vulnerabilities have been discovered in Smarty, a PHP
templating engine. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2008-4810
The _expand_quoted_text function allows for certain restrictions in
templates, like function calling and PHP execution, to be bypassed.
CVE-2009-1669
The smarty_function_math function allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation
attribute of the math function.
For the stable distribution (lenny), this problem has been fixed in
version 2.6.20-1.3.
The testing (squeeze) and unstable distribution (sid) are not affected
by this regression.
We recommend that you upgrade your smarty package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
Source archives:
Size/MD5 checksum: 158091 35f405b2418a26a895302a2ce5bf89d2
Size/MD5 checksum: 4861 fa15219470bdf157e4ccf0d20e6df918
Size/MD5 checksum: 1410 bdcbd684b08f012832e99a68b33b2bc7
Architecture independent packages:
Size/MD5 checksum: 204244 aef92eaf06b3bc912717fc0fcf27de53
These files will probably be moved into the stable distribution on
its next update.
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show
