Summary: | <dev-php/smarty-3.1.12: "SmartyException" Cross-site scripting (CVE-2012-4437) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mjo, php-bugs, tomk |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/50589/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 386281 |
Description
Agostino Sarubbo
2012-09-20 08:31:39 UTC
CVE-2012-4437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4437): Cross-site scripting (XSS) vulnerability in the SmartyException class in Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger a Smarty exception. @maintainers: looks like 2.6.27 is not listed as affected. Okay to stable it? (I assume we won't stable 3.1 at this time) (In reply to Chris Reffett from comment #2) > @maintainers: looks like 2.6.27 is not listed as affected. Okay to stable > it? (I assume we won't stable 3.1 at this time) Sorry for the late response. Yep. You can stabilise it Arches, please test and mark stable: =dev-php/smarty-2.6.27 Target keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Actually, hold off, we will probably be masking 2.6 and stabilizing 3.x. Will sort this all out tonight when I'm at my dev box. After discussion with maintainers, we will be stabilizing 3.1.12 and pmasking 2.6.x. Arches, please test and stabilize: =dev-php/smarty-3.1.12 Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. amd64 stable x86 stable ia64 stable alpha stable ppc stable ppc64 stable sparc stable (In reply to Agostino Sarubbo from comment #9) > x86 stable Did this commit get lost somehow? I still see, KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc ~x86" x86 was not stabled for smarty-3.1.12, fix please. (In reply to Chris Reffett from comment #16) > x86 was not stabled for smarty-3.1.12, fix please. done. Thanks for your work. GLSA vote: no GLSA vote: no, closing noglsa. Maintainer(s), please drop the vulnerable version. *** Bug 481780 has been marked as a duplicate of this bug. *** 2.6.28 is not affected and we ended up not removing 2.* because it had fixes backported for a different bug. Closing noglsa. |