Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

Debian: DSA-5151-1 Moderate: Smarty3 Code Execution Risk

debian
Calendar Grey May 29, 2022
Debian Logo
Urgent security patch released for smarty3 in Debian. Corrections address remote execution flaws and suggest immediate updates.
Several security vulnerabilities have been discovered in smarty3, the compiling PHP template engine

Summary

Several security vulnerabilities have been discovered in smarty3, the compiling
PHP template engine. Template authors are able to run restricted static php
methods or even arbitrary PHP code by crafting a malicious math string or by
choosing an invalid {block} or {include} file name. If a math string was passed
through as user provided data to the math function, remote users were able to
run arbitrary PHP code as well.

For the oldstable distribution (buster), these problems have been fixed
in version 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 3.1.39-2+deb11u1.

We recommend that you upgrade your smarty3 packages.

For the detailed security status of smarty3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/smarty3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https...

Read the Full Advisory

Severity
important
Lowest
Low
Medium
High
Critical

Package: smarty3
CVE ID: CVE-2021-21408 CVE-2021-26119 CVE-2021-26120 CVE-2021-29454

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.