[2-Dec-2008] This release addresses a few of bug fixes, and vulnerability that allows php execution from within a template in security mode. If you use template security, it is recommended to upgrade immediately. Version 2.6.21 (Dec 2nd, 2008) ------------------------------ - fix function injection security hole closed (U.Tews) - fix pass expiration time at cache_handler_fuc call in core.write_cache_file.php (U.Tews) - Update of compiler.class.php to allow method chaining for PHP4 and PHP5 (U.Tews) Reproducible: Always ubuntu-steffen dev-zero # diff -u /usr/portage/dev-php/smarty/smarty-2.6.20-r1.ebuild /usr/local/portage/overlay/dev-php/smarty/smarty-2.6.21.ebuild --- /usr/portage/dev-php/smarty/smarty-2.6.20-r1.ebuild 2008-11-29 19:05:53.000000000 +0100 +++ /usr/local/portage/overlay/dev-php/smarty/smarty-2.6.21.ebuild 2008-12-09 13:35:02.000000000 +0100 @@ -1,6 +1,6 @@ # Copyright 1999-2008 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/smarty/smarty-2.6.20-r1.ebuild,v 1.5 2008/11/29 17:40:02 jer Exp $ +# $Header: smarty-2.6.21.ebuild,v 1.6 2008/12/09 13:30:02 j0inty Exp $ inherit php-lib-r1 eutils @@ -11,7 +11,8 @@ DESCRIPTION="A template engine for PHP." HOMEPAGE="http://www.smarty.net/" SRC_URI="http://www.smarty.net/distributions/${MY_P}.tar.gz" -LICENSE="LGPL-2.1" +RESTRICT="mirror" +ICENSE="LGPL-2.1" SLOT="0" IUSE="doc" @@ -26,8 +27,6 @@ src_unpack() { unpack ${A} cd "${S}" - - epatch "${FILESDIR}/${P}-CVE-2008-4810.patch" } src_install() {
Created attachment 174713 [details] smarty-2.6.21.ebuild
(In reply to comment #1) > Created an attachment (id=174713) [edit] > smarty-2.6.21.ebuild > Thanks Steffen, somehow I forgot about bumping that package. Regarding your ebuild: It's not necessary to restrict mirroring and LICENSE is still named LICENSE - not ICENSE ;) Wrt. the security fix mentioned: That's the fix which is already incorporated in 2.6.20-r1 (#243856), so from my point there's no need to fast track this one to stable.
(In reply to comment #2) > (In reply to comment #1) > > Created an attachment (id=174713) [edit] > > smarty-2.6.21.ebuild > > > > Thanks Steffen, somehow I forgot about bumping that package. > > Regarding your ebuild: It's not necessary to restrict mirroring and LICENSE is > still named LICENSE - not ICENSE ;) > > Wrt. the security fix mentioned: That's the fix which is already incorporated > in 2.6.20-r1 (#243856), so from my point there's no need to fast track this one > to stable. > oh, and 2.6.21 is in CVS, of course ;)
We're handling the security issue on the other bug, so feeel free to close this one now it's bumped.
(In reply to comment #4) > We're handling the security issue on the other bug, so feeel free to close this > one now it's bumped. > doing so, thanks.