30214 – php-smarty new security issues CVE-2021-21408 and CVE-2021-29454

Bug 30214 - php-smarty new security issues CVE-2021-21408 and CVE-2021-29454

Summary: php-smarty new security issues CVE-2021-21408 and CVE-2021-29454

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-03-29 00:42 CEST by David Walser
Modified:	2022-04-03 00:23 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	php-smarty-3.1.39-2.mga9.src.rpm
CVE:
Status comment:	Fixed upstream in 4.0.3

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-03-29 00:42:01 CEST

Ubuntu has issued an advisory today (March 28):
https://ubuntu.com/security/notices/USN-5348-1

The issues are fixed upstream in 3.1.43:
https://github.com/smarty-php/smarty/releases/tag/v3.1.42
https://github.com/smarty-php/smarty/releases/tag/v3.1.43

Cauldron should be updated to 4.1.0 for PHP 8.1.x compatibility:
https://github.com/smarty-php/smarty/releases/tag/v4.1.0

3.1.44 is the newest in that branch:
https://github.com/smarty-php/smarty/releases/tag/v3.1.44

However, you need 4.0.x for PHP 8.0.x compatibility, so Mageia 8 should be updated to that:
https://github.com/smarty-php/smarty/releases/tag/v4.0.0
https://github.com/smarty-php/smarty/releases/tag/v4.0.1
https://github.com/smarty-php/smarty/releases/tag/v4.0.2
https://github.com/smarty-php/smarty/releases/tag/v4.0.3
https://github.com/smarty-php/smarty/releases/tag/v4.0.4

David Walser 2022-03-29 00:42:18 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 4.0.3

Comment 1 Lewis Smith 2022-03-29 20:56:18 CEST

This is your baby, Marc, so assigning it thus.

Assignee: bugsquad => mageia

Comment 2 Marc Krämer 2022-04-01 14:29:52 CEST

Updated php-smarty packages to version 4 for php 8 compatibility and to fix security vulnerabilities.

References:
https://ubuntu.com/security/notices/USN-5348-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29454
https://github.com/smarty-php/smarty/releases/tag/v4.0.4
========================

Updated packages in core/updates_testing:
========================
php-smarty-4.0.4-1.mga8.noarch.rpm
SRPM: 
php-smarty-4.0.4-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Thomas Backlund 2022-04-01 19:25:50 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 Herman Viaene 2022-04-02 10:58:29 CEST

MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues.
no ill effect on my system
i read from the description in MCC this is a developer's tool, so OK'ingon clean install.

CC: (none) => herman.viaene

Herman Viaene 2022-04-02 10:58:56 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-04-02 19:09:35 CEST

Validating. Advisory information in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-04-02 21:24:24 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-04-03 00:23:36 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0127.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.