Debian has issued an advisory on May 29: https://www.debian.org/security/2022/dsa-5151 The issue is fixed upstream in 4.1.1: https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c https://github.com/smarty-php/smarty/releases/tag/v4.1.1 The 3.1.x branch also got an update, but 4.0.x didn't, so maybe it's not supported any more?
Status comment: (none) => Fixed upstream in 4.1.1
Updated php-smarty package to fix security vulnerability: Template authors could inject php code by choosing a malicious {block} name or {include} file name. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221 https://www.debian.org/security/2022/dsa-5151 https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c https://github.com/smarty-php/smarty/releases/tag/v4.1.1 ======================== Updated packages in core/updates_testing: ======================== php-smarty-4.1.1-1.mga8.noarch.rpm SRPM: php-smarty-4.1.1-1.mga8.src.rpm
Assignee: mageia => qa-bugs
CVE: (none) => CVE-2022-29221CC: (none) => mageia
MGA8-64 Plasma on Lenovo B50 in Dutch. No installation issues. No ill effect on my system Ref bug 30214, OK on clean install.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0226.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Status comment: Fixed upstream in 4.1.1 => (none)