Bug 30214

Summary:	php-smarty new security issues CVE-2021-21408 and CVE-2021-29454
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	php-smarty-3.1.39-2.mga9.src.rpm	CVE:
Status comment:	Fixed upstream in 4.0.3

Description David Walser 2022-03-29 00:42:01 CEST

Ubuntu has issued an advisory today (March 28):
https://ubuntu.com/security/notices/USN-5348-1

The issues are fixed upstream in 3.1.43:
https://github.com/smarty-php/smarty/releases/tag/v3.1.42
https://github.com/smarty-php/smarty/releases/tag/v3.1.43

Cauldron should be updated to 4.1.0 for PHP 8.1.x compatibility:
https://github.com/smarty-php/smarty/releases/tag/v4.1.0

3.1.44 is the newest in that branch:
https://github.com/smarty-php/smarty/releases/tag/v3.1.44

However, you need 4.0.x for PHP 8.0.x compatibility, so Mageia 8 should be updated to that:
https://github.com/smarty-php/smarty/releases/tag/v4.0.0
https://github.com/smarty-php/smarty/releases/tag/v4.0.1
https://github.com/smarty-php/smarty/releases/tag/v4.0.2
https://github.com/smarty-php/smarty/releases/tag/v4.0.3
https://github.com/smarty-php/smarty/releases/tag/v4.0.4

David Walser 2022-03-29 00:42:18 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 4.0.3

Comment 1 Lewis Smith 2022-03-29 20:56:18 CEST

This is your baby, Marc, so assigning it thus.

Assignee: bugsquad => mageia

Comment 2 Marc Krämer 2022-04-01 14:29:52 CEST

Updated php-smarty packages to version 4 for php 8 compatibility and to fix security vulnerabilities.

References:
https://ubuntu.com/security/notices/USN-5348-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454
https://github.com/smarty-php/smarty/releases/tag/v4.0.4
========================

Updated packages in core/updates_testing:
========================
php-smarty-4.0.4-1.mga8.noarch.rpm
SRPM: 
php-smarty-4.0.4-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Thomas Backlund 2022-04-01 19:25:50 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 Herman Viaene 2022-04-02 10:58:29 CEST

MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues.
no ill effect on my system
i read from the description in MCC this is a developer's tool, so OK'ingon clean install.

CC: (none) => herman.viaene

Herman Viaene 2022-04-02 10:58:56 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-04-02 19:09:35 CEST

Validating. Advisory information in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-04-02 21:24:24 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-04-03 00:23:36 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0127.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED