Bug 636615
Summary: | ser: multiple vulnerabilities in embedded Smarty (2.6.2) | |||
---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | |
Status: | CLOSED UPSTREAM | QA Contact: | ||
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | unspecified | CC: | security-response-team | |
Target Milestone: | --- | Keywords: | Security | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 636239 | |||
: | 636620 (view as bug list) | Environment: | ||
Last Closed: | 2019-06-10 10:57:15 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 642808 | |||
Bug Blocks: |
Description
Vincent Danen
2010-09-22 17:30:33 UTC
Sent an email to serweb-users informing them of the issue. Will wait a bit for a response before making public. There has been no response from upstream at all, so making this public now. What would be ideal here is to update the embedded version of smarty in ser to the latest upstream version, but I don't know how practical that is (i.e. what may have changed, etc.). It looks like this version of ser has existed since Feb 2006 in Fedora, and smarty 2.6.2 is pretty old as well. There have been some CVS-based updates noted on the site: http://ftp.iptel.org/pub/ser/daily-snapshots/stable/ but even the latest one there is over a year old. Not sure what to do here other than update the embedded copy of smarty to the latest version and make sure it still works as expected. Created ser tracking bugs for this issue Affects: fedora-all [bug 642808] This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |