Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-452-1 smarty3

Debian Security Advisory

DLA-452-1 smarty3 -- LTS security update

Date Reported:

03 May 2016

Affected Packages:

smarty3

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 765920.
In Mitre's CVE dictionary: CVE-2014-8350.

More information:

Smarty3, a template engine for PHP, allowed remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template.

For Debian 7 Wheezy, these problems have been fixed in version 3.1.10-2+deb7u1.

We recommend that you upgrade your smarty3 packages.