Discover Government News

--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2022-52154efd61
2022-10-23 09:02:48.673518
--------------------------------------------------------------------------------Name        : php-Smarty
Product     : Fedora 36
Version     : 3.1.47
Release     : 1.fc36
URL         : https://www.smarty.net/
Summary     : Smarty - the compiling PHP template engine
Description :
Smarty is a template engine for PHP, facilitating the separation of
presentation (HTML/CSS) from application logic. This implies that PHP
code is application logic, and is separated from the presentation.

Autoloader: /usr/share/php/Smarty/autoload.php

--------------------------------------------------------------------------------Update Information:

## [3.1.47] - 2022-09-14  ### Security - Applied appropriate javascript and html
escaping in mailto plugin to counter injection attacks
[#454](https://github.com/smarty-php/smarty/issues/454)  ### Fixed - Fixed use
of `rand()` without a parameter in math function
[#794](https://github.com/smarty-php/smarty/issues/794) - Fixed unselected
year/month/day not working in html_select_date [#395](https://github.com/smarty-php/smarty/issues/395)  ## [3.1.46] - 2022-08-01  ### Fixed - Fixed problems
with smarty_mb_str_replace [#549](https://github.com/smarty-php/smarty/issues/549) - Fixed second parameter of unescape modifier not working
[#777](https://github.com/smarty-php/smarty/issues/777)  ## [3.1.45] -2022-05-17  ### Security - Prevent PHP injection through malicious block name or
include file name. This addresses CVE-2022-29221  ### Fixed - Math equation
`max(x, y)` didn't work anymore [#721](https://github.com/smarty-php/smarty/issues/721)  ## [3.1.44] - 2022-01-18  ### Fixed - Fixed illegal
characters bug in math function security check [#702](https://github.com/smarty-php/smarty/issues/702)  ## [3.1.43] - 2022-01-10  ### Security - Prevent evasion
of the `static_classes` security policy. This addresses CVE-2021-21408  ##
[3.1.42] - 2022-01-10  ### Security - Prevent arbitrary PHP code execution
through maliciously crafted expression for the math function. This addresses
CVE-2021-29454  ## [3.1.41] - 2022-01-09  ### Security - Rewrote the mailto
function to not use `eval` when encoding with javascript  ## [3.1.40] -2021-10-13  ### Changed - modifier escape now triggers a E_USER_NOTICE when an
unsupported escape type is used https://github.com/smarty-php/smarty/pull/649
### Security - More advanced javascript escaping to handle
https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov  ## [3.1.39] - 2021-02-17  ### Security
- Prevent access to `$smarty.template_object` in sandbox mode. This addresses
CVE-2021-26119. - Fixed code injection vulnerability by using illegal function
names in `{function name='blah'}{/function}`. This addresses CVE-2021-26120.  ##
[3.1.38] - 2021-01-08  ### Fixed - Smarty::SMARTY_VERSION wasn't updated
https://github.com/smarty-php/smarty/issues/628  ## [3.1.37] - 2021-01-07  ###
Changed - Changed error handlers and handling of undefined constants for
php8-compatibility (set $errcontext argument optional)
https://github.com/smarty-php/smarty/issues/605 - Changed expected error levels
in unit tests for php8-compatibility - Travis unit tests now run for all php
versions >= 5.3, including php8 - Travis runs on Xenial where possible  ###
Fixed - PHP5.3 compatibility fixes - Brought lexer source functionally up-to-date with compiled version  ## [3.1.36] - 2020-04-14  ### Fixed  -Smarty::SMARTY_VERSION wasn't updated in v3.1.35 https://github.com/smarty-php/smarty/issues/584  ## [3.1.35] - 2020-04-14  - remove whitespaces after
comments https://github.com/smarty-php/smarty/issues/447  - fix foreachelse on
arrayiterators https://github.com/smarty-php/smarty/issues/506  - fix files
contained in git export archive for package maintainers
https://github.com/smarty-php/smarty/issues/325  - throw SmartyException when
setting caching attributes for cacheable plugin https://github.com/smarty-php/smarty/issues/457  - fix errors that occured where isset was replaced with
null check such as https://github.com/smarty-php/smarty/issues/453  - unit tests
are now in the repository  ## 3.1.34 release - 05.11.2019 13.01.2020  - fix typo
in exception message (JercSi)  - fix typehint warning with callable
(bets4breakfast)  - add travis badge and compatability info to readme (matks)  -fix stdClass cast when compiling foreach (carpii)  - fix wrong set/get methods
for memcached (IT-Experte)  - fix pborm assigning value to object variables in
smarty_internal_compile_assign (Hunman)  - exclude error_reporting.ini from git
export (glensc)  ## 3.1.34-dev-6 - 30.10.2018  - bugfix a nested subblock in an
inheritance child template was not replace by    outer level block with same
name in same child template https://github.com/smarty-php/smarty/issues/500
29.10.2018  - bugfix Smarty::$php_handling == PHP_PASSTHRU (default) did eat the
"\n" (newline) character if it did directly followed    a PHP tag like "?>" or
other https://github.com/smarty-php/smarty/issues/501  14.10.2018  - bugfix
autoloader exit shortcut https://github.com/smarty-php/smarty/issues/467
11.10.2018  - bugfix {insert} not works when caching is enabled and included
template is present    https://github.com/smarty-php/smarty/issues/496  - bugfix
in date-format modifier; NULL at date string or default_date did not produce
correct output    https://github.com/smarty-php/smarty/pull/458  09.10.2018  -bugfix fix of 26.8.2017 https://github.com/smarty-php/smarty/issues/327
modifier is applied to sum expression https://github.com/smarty-php/smarty/issues/491  - bugfix indexed arrays could not be defined
"array(...)""  18.09.2018   - bugfix large plain text template sections without
a Smarty tag > 700kB could     could fail in version 3.1.32 and 3.1.33 because
PHP preg_match() restrictions     https://github.com/smarty-php/smarty/issues/488
--------------------------------------------------------------------------------ChangeLog:

* Fri Oct 14 2022 Shawn Iwinski  - 3.1.47-1
- Update to 3.1.47
- CVE-2022-29221 (RHBZ #2088250, 2088251)
- CVE-2021-29454 (RHBZ #2044970, 2044971)
- CVE-2021-21408 (RHBZ #2043595, 2043596)
- Security update (RHBZ #2126854, 2126855, 2126856)
* Fri Jul 22 2022 Fedora Release Engineering  - 3.1.33-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #2043595 - CVE-2021-21408 php-Smarty: template authors could run restricted static php methods [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2043595
  [ 2 ] Bug #2043596 - CVE-2021-21408 php-Smarty: template authors could run restricted static php methods [epel-7]
        https://bugzilla.redhat.com/show_bug.cgi?id=2043596
  [ 3 ] Bug #2044970 - CVE-2021-29454 php-Smarty: template authors could run arbitrary PHP code by crafting a malicious math string [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2044970
  [ 4 ] Bug #2044971 - CVE-2021-29454 php-Smarty: template authors could run arbitrary PHP code by crafting a malicious math string [epel-7]
        https://bugzilla.redhat.com/show_bug.cgi?id=2044971
  [ 5 ] Bug #2088250 - CVE-2022-29221 php-Smarty: php injection via malicious block name or include file name [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2088250
  [ 6 ] Bug #2088251 - CVE-2022-29221 php-Smarty: php injection via malicious block name or include file name [epel-7]
        https://bugzilla.redhat.com/show_bug.cgi?id=2088251
  [ 7 ] Bug #2126855 - php-Smarty: javascript injection in mailto function [epel-7]
        https://bugzilla.redhat.com/show_bug.cgi?id=2126855
  [ 8 ] Bug #2126856 - php-Smarty: javascript injection in mailto function [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2126856
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-52154efd61' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/
Do not reply to spam, report it: https://pagure.io/login/

Fedora 36: php-Smarty 2022-52154efd61

October 23, 2022
## [3.1.47] - 2022-09-14 ### Security - Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks [#454](https://github.com/smarty-php/smarty/i...

Summary

Smarty is a template engine for PHP, facilitating the separation of

presentation (HTML/CSS) from application logic. This implies that PHP

code is application logic, and is separated from the presentation.

Autoloader: /usr/share/php/Smarty/autoload.php

## [3.1.47] - 2022-09-14 ### Security - Applied appropriate javascript and html

escaping in mailto plugin to counter injection attacks

[#454](https://github.com/smarty-php/smarty/issues/454) ### Fixed - Fixed use

of `rand()` without a parameter in math function

[#794](https://github.com/smarty-php/smarty/issues/794) - Fixed unselected

year/month/day not working in html_select_date [#395](https://github.com/smarty-php/smarty/issues/395) ## [3.1.46] - 2022-08-01 ### Fixed - Fixed problems

with smarty_mb_str_replace [#549](https://github.com/smarty-php/smarty/issues/549) - Fixed second parameter of unescape modifier not working

[#777](https://github.com/smarty-php/smarty/issues/777) ## [3.1.45] -2022-05-17 ### Security - Prevent PHP injection through malicious block name or

include file name. This addresses CVE-2022-29221 ### Fixed - Math equation

`max(x, y)` didn't work anymore [#721](https://github.com/smarty-php/smarty/issues/721) ## [3.1.44] - 2022-01-18 ### Fixed - Fixed illegal

characters bug in math function security check [#702](https://github.com/smarty-php/smarty/issues/702) ## [3.1.43] - 2022-01-10 ### Security - Prevent evasion

of the `static_classes` security policy. This addresses CVE-2021-21408 ##

[3.1.42] - 2022-01-10 ### Security - Prevent arbitrary PHP code execution

through maliciously crafted expression for the math function. This addresses

CVE-2021-29454 ## [3.1.41] - 2022-01-09 ### Security - Rewrote the mailto

function to not use `eval` when encoding with javascript ## [3.1.40] -2021-10-13 ### Changed - modifier escape now triggers a E_USER_NOTICE when an

unsupported escape type is used https://github.com/smarty-php/smarty/pull/649

### Security - More advanced javascript escaping to handle

https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov ## [3.1.39] - 2021-02-17 ### Security

- Prevent access to `$smarty.template_object` in sandbox mode. This addresses

CVE-2021-26119. - Fixed code injection vulnerability by using illegal function

names in `{function name='blah'}{/function}`. This addresses CVE-2021-26120. ##

[3.1.38] - 2021-01-08 ### Fixed - Smarty::SMARTY_VERSION wasn't updated

https://github.com/smarty-php/smarty/issues/628 ## [3.1.37] - 2021-01-07 ###

Changed - Changed error handlers and handling of undefined constants for

php8-compatibility (set $errcontext argument optional)

https://github.com/smarty-php/smarty/issues/605 - Changed expected error levels

in unit tests for php8-compatibility - Travis unit tests now run for all php

versions >= 5.3, including php8 - Travis runs on Xenial where possible ###

Fixed - PHP5.3 compatibility fixes - Brought lexer source functionally up-to-date with compiled version ## [3.1.36] - 2020-04-14 ### Fixed -Smarty::SMARTY_VERSION wasn't updated in v3.1.35 https://github.com/smarty-php/smarty/issues/584 ## [3.1.35] - 2020-04-14 - remove whitespaces after

comments https://github.com/smarty-php/smarty/issues/447 - fix foreachelse on

arrayiterators https://github.com/smarty-php/smarty/issues/506 - fix files

contained in git export archive for package maintainers

https://github.com/smarty-php/smarty/issues/325 - throw SmartyException when

setting caching attributes for cacheable plugin https://github.com/smarty-php/smarty/issues/457 - fix errors that occured where isset was replaced with

null check such as https://github.com/smarty-php/smarty/issues/453 - unit tests

are now in the repository ## 3.1.34 release - 05.11.2019 13.01.2020 - fix typo

in exception message (JercSi) - fix typehint warning with callable

(bets4breakfast) - add travis badge and compatability info to readme (matks) -fix stdClass cast when compiling foreach (carpii) - fix wrong set/get methods

for memcached (IT-Experte) - fix pborm assigning value to object variables in

smarty_internal_compile_assign (Hunman) - exclude error_reporting.ini from git

export (glensc) ## 3.1.34-dev-6 - 30.10.2018 - bugfix a nested subblock in an

inheritance child template was not replace by outer level block with same

name in same child template https://github.com/smarty-php/smarty/issues/500

29.10.2018 - bugfix Smarty::$php_handling == PHP_PASSTHRU (default) did eat the

"\n" (newline) character if it did directly followed a PHP tag like "?>" or

other https://github.com/smarty-php/smarty/issues/501 14.10.2018 - bugfix

autoloader exit shortcut https://github.com/smarty-php/smarty/issues/467

11.10.2018 - bugfix {insert} not works when caching is enabled and included

template is present https://github.com/smarty-php/smarty/issues/496 - bugfix

in date-format modifier; NULL at date string or default_date did not produce

correct output https://github.com/smarty-php/smarty/pull/458 09.10.2018 -bugfix fix of 26.8.2017 https://github.com/smarty-php/smarty/issues/327

modifier is applied to sum expression https://github.com/smarty-php/smarty/issues/491 - bugfix indexed arrays could not be defined

"array(...)"" 18.09.2018 - bugfix large plain text template sections without

a Smarty tag > 700kB could could fail in version 3.1.32 and 3.1.33 because

PHP preg_match() restrictions https://github.com/smarty-php/smarty/issues/488

* Fri Oct 14 2022 Shawn Iwinski - 3.1.47-1

- Update to 3.1.47

- CVE-2022-29221 (RHBZ #2088250, 2088251)

- CVE-2021-29454 (RHBZ #2044970, 2044971)

- CVE-2021-21408 (RHBZ #2043595, 2043596)

- Security update (RHBZ #2126854, 2126855, 2126856)

* Fri Jul 22 2022 Fedora Release Engineering - 3.1.33-8

- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild

[ 1 ] Bug #2043595 - CVE-2021-21408 php-Smarty: template authors could run restricted static php methods [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2043595

[ 2 ] Bug #2043596 - CVE-2021-21408 php-Smarty: template authors could run restricted static php methods [epel-7]

https://bugzilla.redhat.com/show_bug.cgi?id=2043596

[ 3 ] Bug #2044970 - CVE-2021-29454 php-Smarty: template authors could run arbitrary PHP code by crafting a malicious math string [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2044970

[ 4 ] Bug #2044971 - CVE-2021-29454 php-Smarty: template authors could run arbitrary PHP code by crafting a malicious math string [epel-7]

https://bugzilla.redhat.com/show_bug.cgi?id=2044971

[ 5 ] Bug #2088250 - CVE-2022-29221 php-Smarty: php injection via malicious block name or include file name [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2088250

[ 6 ] Bug #2088251 - CVE-2022-29221 php-Smarty: php injection via malicious block name or include file name [epel-7]

https://bugzilla.redhat.com/show_bug.cgi?id=2088251

[ 7 ] Bug #2126855 - php-Smarty: javascript injection in mailto function [epel-7]

https://bugzilla.redhat.com/show_bug.cgi?id=2126855

[ 8 ] Bug #2126856 - php-Smarty: javascript injection in mailto function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2126856

su -c 'dnf upgrade --advisory FEDORA-2022-52154efd61' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam, report it: https://pagure.io/login/

FEDORA-2022-52154efd61 2022-10-23 09:02:48.673518 Product : Fedora 36 Version : 3.1.47 Release : 1.fc36 URL : https://www.smarty.net/ Summary : Smarty - the compiling PHP template engine Description : Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. This implies that PHP code is application logic, and is separated from the presentation. Autoloader: /usr/share/php/Smarty/autoload.php ## [3.1.47] - 2022-09-14 ### Security - Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks [#454](https://github.com/smarty-php/smarty/issues/454) ### Fixed - Fixed use of `rand()` without a parameter in math function [#794](https://github.com/smarty-php/smarty/issues/794) - Fixed unselected year/month/day not working in html_select_date [#395](https://github.com/smarty-php/smarty/issues/395) ## [3.1.46] - 2022-08-01 ### Fixed - Fixed problems with smarty_mb_str_replace [#549](https://github.com/smarty-php/smarty/issues/549) - Fixed second parameter of unescape modifier not working [#777](https://github.com/smarty-php/smarty/issues/777) ## [3.1.45] -2022-05-17 ### Security - Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221 ### Fixed - Math equation `max(x, y)` didn't work anymore [#721](https://github.com/smarty-php/smarty/issues/721) ## [3.1.44] - 2022-01-18 ### Fixed - Fixed illegal characters bug in math function security check [#702](https://github.com/smarty-php/smarty/issues/702) ## [3.1.43] - 2022-01-10 ### Security - Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408 ## [3.1.42] - 2022-01-10 ### Security - Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454 ## [3.1.41] - 2022-01-09 ### Security - Rewrote the mailto function to not use `eval` when encoding with javascript ## [3.1.40] -2021-10-13 ### Changed - modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649 ### Security - More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov ## [3.1.39] - 2021-02-17 ### Security - Prevent access to `$smarty.template_object` in sandbox mode. This addresses CVE-2021-26119. - Fixed code injection vulnerability by using illegal function names in `{function name='blah'}{/function}`. This addresses CVE-2021-26120. ## [3.1.38] - 2021-01-08 ### Fixed - Smarty::SMARTY_VERSION wasn't updated https://github.com/smarty-php/smarty/issues/628 ## [3.1.37] - 2021-01-07 ### Changed - Changed error handlers and handling of undefined constants for php8-compatibility (set $errcontext argument optional) https://github.com/smarty-php/smarty/issues/605 - Changed expected error levels in unit tests for php8-compatibility - Travis unit tests now run for all php versions >= 5.3, including php8 - Travis runs on Xenial where possible ### Fixed - PHP5.3 compatibility fixes - Brought lexer source functionally up-to-date with compiled version ## [3.1.36] - 2020-04-14 ### Fixed -Smarty::SMARTY_VERSION wasn't updated in v3.1.35 https://github.com/smarty-php/smarty/issues/584 ## [3.1.35] - 2020-04-14 - remove whitespaces after comments https://github.com/smarty-php/smarty/issues/447 - fix foreachelse on arrayiterators https://github.com/smarty-php/smarty/issues/506 - fix files contained in git export archive for package maintainers https://github.com/smarty-php/smarty/issues/325 - throw SmartyException when setting caching attributes for cacheable plugin https://github.com/smarty-php/smarty/issues/457 - fix errors that occured where isset was replaced with null check such as https://github.com/smarty-php/smarty/issues/453 - unit tests are now in the repository ## 3.1.34 release - 05.11.2019 13.01.2020 - fix typo in exception message (JercSi) - fix typehint warning with callable (bets4breakfast) - add travis badge and compatability info to readme (matks) -fix stdClass cast when compiling foreach (carpii) - fix wrong set/get methods for memcached (IT-Experte) - fix pborm assigning value to object variables in smarty_internal_compile_assign (Hunman) - exclude error_reporting.ini from git export (glensc) ## 3.1.34-dev-6 - 30.10.2018 - bugfix a nested subblock in an inheritance child template was not replace by outer level block with same name in same child template https://github.com/smarty-php/smarty/issues/500 29.10.2018 - bugfix Smarty::$php_handling == PHP_PASSTHRU (default) did eat the "\n" (newline) character if it did directly followed a PHP tag like "?>" or other https://github.com/smarty-php/smarty/issues/501 14.10.2018 - bugfix autoloader exit shortcut https://github.com/smarty-php/smarty/issues/467 11.10.2018 - bugfix {insert} not works when caching is enabled and included template is present https://github.com/smarty-php/smarty/issues/496 - bugfix in date-format modifier; NULL at date string or default_date did not produce correct output https://github.com/smarty-php/smarty/pull/458 09.10.2018 -bugfix fix of 26.8.2017 https://github.com/smarty-php/smarty/issues/327 modifier is applied to sum expression https://github.com/smarty-php/smarty/issues/491 - bugfix indexed arrays could not be defined "array(...)"" 18.09.2018 - bugfix large plain text template sections without a Smarty tag > 700kB could could fail in version 3.1.32 and 3.1.33 because PHP preg_match() restrictions https://github.com/smarty-php/smarty/issues/488 * Fri Oct 14 2022 Shawn Iwinski - 3.1.47-1 - Update to 3.1.47 - CVE-2022-29221 (RHBZ #2088250, 2088251) - CVE-2021-29454 (RHBZ #2044970, 2044971) - CVE-2021-21408 (RHBZ #2043595, 2043596) - Security update (RHBZ #2126854, 2126855, 2126856) * Fri Jul 22 2022 Fedora Release Engineering - 3.1.33-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild [ 1 ] Bug #2043595 - CVE-2021-21408 php-Smarty: template authors could run restricted static php methods [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2043595 [ 2 ] Bug #2043596 - CVE-2021-21408 php-Smarty: template authors could run restricted static php methods [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=2043596 [ 3 ] Bug #2044970 - CVE-2021-29454 php-Smarty: template authors could run arbitrary PHP code by crafting a malicious math string [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2044970 [ 4 ] Bug #2044971 - CVE-2021-29454 php-Smarty: template authors could run arbitrary PHP code by crafting a malicious math string [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=2044971 [ 5 ] Bug #2088250 - CVE-2022-29221 php-Smarty: php injection via malicious block name or include file name [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2088250 [ 6 ] Bug #2088251 - CVE-2022-29221 php-Smarty: php injection via malicious block name or include file name [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=2088251 [ 7 ] Bug #2126855 - php-Smarty: javascript injection in mailto function [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=2126855 [ 8 ] Bug #2126856 - php-Smarty: javascript injection in mailto function [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2126856 su -c 'dnf upgrade --advisory FEDORA-2022-52154efd61' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/ Do not reply to spam, report it: https://pagure.io/login/

Change Log

References

Update Instructions

Severity
Product : Fedora 36
Version : 3.1.47
Release : 1.fc36
URL : https://www.smarty.net/
Summary : Smarty - the compiling PHP template engine

Related News