Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1066 to the following vulnerability: The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string. References: http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html http://www.phpinsider.com/smarty-forum/viewtopic.php?p=47652 http://www.smarty.net/misc/NEWS
(In reply to comment #0) > The modifier.regex_replace.php plugin in Smarty before 2.6.19 --------------------------------------------------^^^^^^ *before*, as in 2.6.18 and lower, as in this was fixed last week. Please do me a favor and close all these bugs for me so I don't have to waste time doing it myself.... Thanks.
Updates were pushed to Fedora stable as bugfixes: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1928 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1911
php-pear-PhpDocumentor and gallery2 should not embed a copy of smarty. Is there a possibility to make it use code from the php-Smarty package?
(In reply to comment #6) > php-pear-PhpDocumentor and gallery2 should not embed a copy of smarty. > Is there a possibility to make it use code from the php-Smarty package? It should be possible, yes.
php-pear-PhpDocumentor-1.4.1-2.fc8 has been submitted as an update for Fedora 8
gallery2-2.2.4-3.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update gallery2'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F7/FEDORA-2008-2587
php-pear-PhpDocumentor-1.4.1-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
gallery2-2.2.4-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
gallery2-2.2.4-3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Removing myself (john@ncphotography) from CC list as updated required for my packages have been pushed.
Reporter changed to security-response-team by request of Jay Turner.