Silvio Cesare reported that pgpoolAdmin includes an embedded copy of the Smarty PHP template engine that is vulnerable to a number of security-related issues. The version of Smarty bundled in pgpoolAdmin 2.2 is 2.6.13, while the current version of Smarty is 2.6.25. This would make the embedded version of Smarty, and thus pgpoolAdmin, vulnerable to a number of issues with CVE names, including: CVE-2009-1669 CVE-2008-4811 CVE-2008-4810 CVE-2008-1066 There may be others as well. The Smarty changelog [1] does identify a number of fixes since the 2.6.2 release. Ideally, we should update the embedded version of Smarty to 2.6.25, however I have no idea if that will break anything as that is quite the jump. We may have to identify and backport all the security fixes. [1] http://www.smarty.net/changelog.php
Used upstream's contact form to make them aware of the issue. Will wait a bit to see if we get a response before making this public.
Upstream has reported that version 2.3.1 and 3.0.1 have been released, that embed Smarty 2.6.26: http://pgfoundry.org/frs/download.php/2804/pgpoolAdmin-2.3.1.tar.gz http://pgfoundry.org/frs/download.php/2805/pgpoolAdmin-3.0.1.tar.gz They also note that version 2.2 is no longer maintained, so we should upgrade to one of the above versions.
Created postgresql-pgpoolAdmin tracking bugs for this issue Affects: fedora-all [bug 637226]
Ok, I'm on it.
(In reply to comment #4) > Ok, I'm on it. Any progress on this yet?
This is still unfixed in Fedora from what I can see. Can this be taken care of soon? It's quite old.
postgresql-pgpoolAdmin-3.1.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
postgresql-pgpoolAdmin-3.1.1-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
EPEL5 still contains version 2.2, which is vulnerable. Fedora is ok.
Created postgresql-pgpoolAdmin tracking bugs for this issue Affects: epel-5 [bug 847367]