[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201006-13.xml - gentoo-commits

From:	"Alex Legler (a3li)" <a3li@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201006-13.xml
Date:	Wed, 02 Jun 2010 21:16:32
Message-Id:	`20100602211625.BEA8C2CE14@corvid.gentoo.org`

1

a3li        10/06/02 21:16:25

2

3

  Added:                glsa-201006-13.xml

4

  Log:

5

  GLSA 201006-13

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-201006-13.xml

9

10

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201006-13.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201006-13.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-201006-13.xml

14

===================================================================

15

<?xml version="1.0" encoding="utf-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

20

<glsa id="201006-13">

21

  <title>Smarty: Multiple vulnerabilities</title>

22

  <synopsis>

23

    Multiple vulnerabilities in the Smarty template engine might allow remote

24

    attackers to execute arbitrary PHP code.

25

  </synopsis>

26

  <product type="ebuild">smarty</product>

27

  <announced>June 02, 2010</announced>

28

  <revised>June 02, 2010: 01</revised>

29

  <bug>212147</bug>

30

  <bug>243856</bug>

31

  <bug>270494</bug>

32

  <access>remote</access>

33

  <affected>

34

    <package name="dev-php/smarty" auto="yes" arch="*">

35

      <unaffected range="ge">2.6.23</unaffected>

36

      <vulnerable range="lt">2.6.23</vulnerable>

37

    </package>

38

  </affected>

39

  <background>

40

<p>

41

    Smarty is a template engine for PHP.

42

    </p>

43

  </background>

44

  <description>

45

<p>

46

    Multiple vulnerabilities have been discovered in Smarty:

47

    </p>

48

    <ul>

49

    <li>The vendor reported that the modifier.regex_replace.php plug-in

50

    contains an input sanitation flaw related to the ASCII NUL character

51

    (CVE-2008-1066).</li>

52

    <li>The vendor reported that the

53

    _expand_quoted_text() function in libs/Smarty_Compiler.class.php

54

    contains an input sanitation flaw via multiple vectors (CVE-2008-4810,

55

    CVE-2008-4811).</li>

56

    <li>Nine:Situations:Group::bookoo reported that

57

    the smarty_function_math() function in libs/plugins/function.math.php

58

    contains input sanitation flaw (CVE-2009-1669).</li>

59

    </ul>

60

  </description>

61

  <impact type="normal">

62

<p>

63

    These issues might allow a remote attacker to execute arbitrary PHP

64

    code.

65

    </p>

66

  </impact>

67

  <workaround>

68

<p>

69

    There is no known workaround at this time.

70

    </p>

71

  </workaround>

72

  <resolution>

73

<p>

74

    All Smarty users should upgrade to an unaffected version:

75

    </p>

76

    <code>

77

    # emerge --sync

78

    # emerge --ask --oneshot --verbose &quot;&gt;=dev-php/smarty-2.6.23&quot;</code>

79

<p>

80

    NOTE: This is a legacy GLSA. Updates for all affected architectures are

81

    available since June 2, 2009. It is likely that your system is already

82

    no longer affected by this issue.

83

    </p>

84

  </resolution>

85

  <references>

86

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066">CVE-2008-1066</uri>

87

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4810">CVE-2008-4810</uri>

88

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4811">CVE-2008-4811</uri>

89

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669">CVE-2009-1669</uri>

90

  </references>

91

  <metadata tag="requester" timestamp="Sat, 15 Mar 2008 21:06:13 +0000">

92

p-y

93

  </metadata>

94

  <metadata tag="bugReady" timestamp="Fri, 19 Sep 2008 19:51:21 +0000">

95

p-y

96

  </metadata>

97

  <metadata tag="submitter" timestamp="Sun, 30 May 2010 11:16:44 +0000">

98

    a3li

99

  </metadata>

100

</glsa>

1	a3li 10/06/02 21:16:25
2
3	Added: glsa-201006-13.xml
4	Log:
5	GLSA 201006-13
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-201006-13.xml
9
10	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201006-13.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201006-13.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-201006-13.xml
14	===================================================================
15	<?xml version="1.0" encoding="utf-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20	<glsa id="201006-13">
21	<title>Smarty: Multiple vulnerabilities</title>
22	<synopsis>
23	Multiple vulnerabilities in the Smarty template engine might allow remote
24	attackers to execute arbitrary PHP code.
25	</synopsis>
26	<product type="ebuild">smarty</product>
27	<announced>June 02, 2010</announced>
28	<revised>June 02, 2010: 01</revised>
29	<bug>212147</bug>
30	<bug>243856</bug>
31	<bug>270494</bug>
32	<access>remote</access>
33	<affected>
34	<package name="dev-php/smarty" auto="yes" arch="*">
35	<unaffected range="ge">2.6.23</unaffected>
36	<vulnerable range="lt">2.6.23</vulnerable>
37	</package>
38	</affected>
39	<background>
40	<p>
41	Smarty is a template engine for PHP.
42	</p>
43	</background>
44	<description>
45	<p>
46	Multiple vulnerabilities have been discovered in Smarty:
47	</p>
48	<ul>
49	<li>The vendor reported that the modifier.regex_replace.php plug-in
50	contains an input sanitation flaw related to the ASCII NUL character
51	(CVE-2008-1066).</li>
52	<li>The vendor reported that the
53	_expand_quoted_text() function in libs/Smarty_Compiler.class.php
54	contains an input sanitation flaw via multiple vectors (CVE-2008-4810,
55	CVE-2008-4811).</li>
56	<li>Nine:Situations:Group::bookoo reported that
57	the smarty_function_math() function in libs/plugins/function.math.php
58	contains input sanitation flaw (CVE-2009-1669).</li>
59	</ul>
60	</description>
61	<impact type="normal">
62	<p>
63	These issues might allow a remote attacker to execute arbitrary PHP
64	code.
65	</p>
66	</impact>
67	<workaround>
68	<p>
69	There is no known workaround at this time.
70	</p>
71	</workaround>
72	<resolution>
73	<p>
74	All Smarty users should upgrade to an unaffected version:
75	</p>
76	<code>
77	# emerge --sync
78	# emerge --ask --oneshot --verbose ">=dev-php/smarty-2.6.23"</code>
79	<p>
80	NOTE: This is a legacy GLSA. Updates for all affected architectures are
81	available since June 2, 2009. It is likely that your system is already
82	no longer affected by this issue.
83	</p>
84	</resolution>
85	<references>
86	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066">CVE-2008-1066</uri>
87	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4810">CVE-2008-4810</uri>
88	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4811">CVE-2008-4811</uri>
89	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669">CVE-2009-1669</uri>
90	</references>
91	<metadata tag="requester" timestamp="Sat, 15 Mar 2008 21:06:13 +0000">
92	p-y
93	</metadata>
94	<metadata tag="bugReady" timestamp="Fri, 19 Sep 2008 19:51:21 +0000">
95	p-y
96	</metadata>
97	<metadata tag="submitter" timestamp="Sun, 30 May 2010 11:16:44 +0000">
98	a3li
99	</metadata>
100	</glsa>

Gentoo Archives: gentoo-commits