CVE-2021-29454 (https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m): Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch. CVE-2021-21408 (https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m): Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch. Please bump to 3.1.43.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ceabb261d8cfed718f1d1939da6f5e58b69424c commit 7ceabb261d8cfed718f1d1939da6f5e58b69424c Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2022-01-11 16:05:12 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2022-01-11 16:05:12 +0000 dev-php/smarty: Version bump for 4.0.3 Bug: https://bugs.gentoo.org/830980 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-php/smarty/Manifest | 1 + dev-php/smarty/smarty-4.0.3.ebuild | 46 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+)
Thanks! Please stabilize.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=344efd1264754faaeb184f644eac4eec350ebe67 commit 344efd1264754faaeb184f644eac4eec350ebe67 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2022-02-08 13:24:09 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2022-02-08 13:24:09 +0000 dev-php/smarty: Drop old Bug: https://bugs.gentoo.org/830980 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-php/smarty/Manifest | 2 -- dev-php/smarty/smarty-3.1.39.ebuild | 46 ------------------------------------- dev-php/smarty/smarty-4.0.3.ebuild | 46 ------------------------------------- 3 files changed, 94 deletions(-)
Thanks!
GLSA request filed
GLSA released, all done!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a88876e54c65e1f5a5171c7ff1dd318ddf93bedd commit a88876e54c65e1f5a5171c7ff1dd318ddf93bedd Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-25 13:34:41 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-25 13:42:21 +0000 [ GLSA 202209-09 ] Smarty: Multiple vulnerabilities Bug: https://bugs.gentoo.org/830980 Bug: https://bugs.gentoo.org/845180 Bug: https://bugs.gentoo.org/870100 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-09.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
