Debian
smarty3 package

Change logs for smarty3 source package in Buster

  1. Buster (10)
  2. Change log 
  • smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1) buster-security; urgency=high

  * Non-maintainer upload.
  * Fix the following CVE:
    - CVE-2021-21408: template authors could run restricted static php methods
    - CVE-2021-29454: template authors could run arbitrary PHP code by crafting
                      a malicious math string
    - CVE-2022-29221: template authors could inject php code by choosing a
                      malicious {block} name or {include} file name
    - CVE-2021-26119: Sandbox Escape because $smarty.template_object can be
                      accessed in sandbox mode
    - CVE-2021-26120: code injection via an unexpected function name

 -- Markus Koschany <email address hidden>  Sun, 29 May 2022 13:13:32 +0200
  • smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1) unstable; urgency=medium

  * New upstream release.
    - CVE-2018-16831: Don't bypass trusted directories with "../". (Closes:
      #908698).
  * debian/control:
    + Bump Standards-Version: to 4.2.1. No changes needed.

 -- Mike Gabriel <email address hidden>  Mon, 17 Sep 2018 13:04:18 +0200
  • smarty3 (3.1.32+20180424.1.ac9d4b58+selfpack1-1) unstable; urgency=medium

  * New upstream release.
  * debian/*: White-space clean-up at EOL.
  * debian/patches:
    + Drop 0001_CVE-2017-1000480.patch. Applied upstream.
  * debian/rules:
    + Avoid using dpkg-parsechangelog.
  * debian/copyright:
    + Update copyright attributions.
    + Use secure URI to obtain copyright references.
    + Add global Comment: field. Explain about brokenness of upstream tarballs.
  * debian/control:
    + Update Vcs-*: fields. Packaging Git has been migrated to
      salsa.debian.org.
    + Bump Standards-Version: to 4.1.4. No changes needed.
  * debian/{control,compat}:
    + Bump DH version level to 11.

 -- Mike Gabriel <email address hidden>  Sun, 27 May 2018 23:21:33 +0200
  • smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-3) unstable; urgency=medium

  * debian/patches:
    + Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes:
      #886460).

 -- Mike Gabriel <email address hidden>  Sun, 14 Jan 2018 11:13:16 +0100
  • smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2) unstable; urgency=medium

  * Re-upload to Debian unstable to enforce package rebuild (as we don't
    have binNMUs for arch:all packages).

  * debian/control:
    + Update versioned B-D on smarty-lexer (>=  3.1.30+dfsg1-1.1~).
      This is to assure correct lexer/parser generation which was broken by
      smarty-lexer 3.1.30+dfsg1-1. See Debian bug #847571 for further
      reference.

 -- Mike Gabriel <email address hidden>  Tue, 21 Mar 2017 10:13:01 +0100