Red Hat Bugzilla – Full Text Bug Listing
|Summary:||pgpoolAdmin: multiple vulnerabilities in embedded Smarty (2.6.13)|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||637226, 847367|
Description Vincent Danen 2010-09-22 13:53:01 EDT
Silvio Cesare reported that pgpoolAdmin includes an embedded copy of the Smarty PHP template engine that is vulnerable to a number of security-related issues. The version of Smarty bundled in pgpoolAdmin 2.2 is 2.6.13, while the current version of Smarty is 2.6.25. This would make the embedded version of Smarty, and thus pgpoolAdmin, vulnerable to a number of issues with CVE names, including: CVE-2009-1669 CVE-2008-4811 CVE-2008-4810 CVE-2008-1066 There may be others as well. The Smarty changelog  does identify a number of fixes since the 2.6.2 release. Ideally, we should update the embedded version of Smarty to 2.6.25, however I have no idea if that will break anything as that is quite the jump. We may have to identify and backport all the security fixes.  http://www.smarty.net/changelog.php
Comment 1 Vincent Danen 2010-09-22 13:54:17 EDT
Used upstream's contact form to make them aware of the issue. Will wait a bit to see if we get a response before making this public.
Comment 2 Vincent Danen 2010-09-24 11:44:00 EDT
Upstream has reported that version 2.3.1 and 3.0.1 have been released, that embed Smarty 2.6.26: http://pgfoundry.org/frs/download.php/2804/pgpoolAdmin-2.3.1.tar.gz http://pgfoundry.org/frs/download.php/2805/pgpoolAdmin-3.0.1.tar.gz They also note that version 2.2 is no longer maintained, so we should upgrade to one of the above versions.
Comment 3 Vincent Danen 2010-09-24 11:48:57 EDT
Created postgresql-pgpoolAdmin tracking bugs for this issue Affects: fedora-all [bug 637226]
Comment 4 Devrim Gündüz 2010-09-24 16:16:40 EDT
Ok, I'm on it.
Comment 5 Vincent Danen 2010-10-13 16:37:48 EDT
(In reply to comment #4) > Ok, I'm on it. Any progress on this yet?
Comment 6 Vincent Danen 2011-06-14 12:58:43 EDT
This is still unfixed in Fedora from what I can see. Can this be taken care of soon? It's quite old.
Comment 7 Fedora Update System 2012-05-08 00:14:50 EDT
postgresql-pgpoolAdmin-3.1.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-05-12 21:59:51 EDT
postgresql-pgpoolAdmin-3.1.1-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Vincent Danen 2012-08-10 14:16:38 EDT
EPEL5 still contains version 2.2, which is vulnerable. Fedora is ok.