-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4094-2 security@debian.org https://www.debian.org/security/ January 30, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : smarty3 CVE ID : CVE-2017-1000480 Debian Bug : 886460 CA'me Chilliet from the FusionDirectory team detected a regression in the previously issued fix for CVE-2017-1000480. This regression only affects the Jessie version of the patch. For reference, the relevant part of the original advisory text follows. It was discovered that Smarty, a PHP template engine, was vulnerable to code-injection attacks. An attacker was able to craft a filename in comments that could lead to arbitrary code execution on the host running Smarty. For the oldstable distribution (jessie), this problem has been fixed in version 3.1.21-1+deb8u2. We recommend that you upgrade your smarty3 packages. For the detailed security status of smarty3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/smarty3 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlpwrI8ACgkQbsLe9o/+ N3S2ThAAoTIBEBY7C7wZyHe00TMijKJh5Hjxtz7ApEzctO3+I8WCSm+90onW8W/J W7+7eI9pNaVhWeK6yreO2rq/4qYMQvR2AJhA5L39k0JYQbTIIaCMSUXoCQ5ueP6X IbXdlihcSFKxNpfqXZRBfg2M0k86RzUpIS1A4IJYpl4/pWG549JpXsoLxb9l/YgH v81km+PA3SMXmkhZ7pfE/pQ/956hGCjd+qIRVkKdakZx+paxE6y24ltr2CGteQaN IugRK0Fx7K9QhZrfsy6IrcoRn9Kz6QGStPJLNvV2doeM+ZUy7mT8sLHpIaEeu8U0 WElCxM8GAf9hfIYcrx1yAPV0KVj73HGluFeMTzijg7NtIb0fKTB/3i8uhN0Gw7MG AftCzH5PHPiQj7PtcZOXBwQQssLaQzGRSCG5KgNiiAg27kwvYOcyhK6FtMmMcqjK wF8M5mckuiCiqDSM4nuXrqiRt0viZkaLY2hIni09r0PaGIUKvQso1I/+X3QT3Bdr 6AzBgQxegCrZn9peduGCt8u1HS0jQH3X3rygptr33vtT6KerfgfehzCBFKQxhZJf b1lGdABJyiLBqQlMNoFIML9TKcLSN4kfUn5gBhcdPVR8XykHLgSycnBww/2GK3dY Vs5KGL+QhJ4CWPr0oSpypX0Upd+KL/0okGAaYcMLJw97VhNk2pE= =r8LY -----END PGP SIGNATURE-----