[Bug 327367] [NEW] MIR: please promote smarty to Main
Jordan Mantha
jordan.mantha at gmail.com
Mon Feb 9 20:58:05 UTC 2009
Public bug reported:
Binary package hint: smarty
Moodle already includes a copy of smarty and Debian has recently decided
to remove the copy and depend on the system installed version. This is
an ongoing effort to get rid of Moodle's embedded libs (see bottom of
https://wiki.ubuntu.com/EdubuntuContentServer ). Smarty has a CVE record
(http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=smarty) but the current
version doesn't seem to have any vulnerabilities. However, not
keeping/using the moodle copy should ensure better security. Here's the
relevant Debian changelog entry:
moodle (1.8.2-2) unstable; urgency=high
* Adopt orphaned package (closes: #494642)
* Acknowledge security NMU (closes: #489533, #432264)
* Add Vcs-* fields to debian/control
Release-critical and security bugs:
* Depend on smarty instead of using the embedded copy that is shipped
with Moodle (closes: #471158, #488525, #504345)
* Patch security bug in the embedded (and customised) copy of phpmailer
(CVE-2007-3215, closes: #429339, #429190)
* Patch cross-site scripting bug (CVE-2008-3326, closes: #492492)
* Patch snoopy input sanitising (CVE-2008-4796, closes: #504235)
* Upgrade to new LGPL version of domxml-php4-to-php5 (closes: #496069)
Trivial bug fixes:
* Depend on zip (closes: #408995)
* Add mysql-client as an alternative to postgresql-client
(closes: #417554, #469094)
* Recommend php5-ldap (closes: #425839)
* Delete unnecessary script with bashisms (closes: #489634)
Lintian warnings:
* Bump Standards-Version to 3.8.0
* Add homepage field to debian/control
* Remove cvsignore file
* Remove extra license file
* Depend on yui instead of using an embedded copy
-- Francois Marier <francois at debian.org> Fri, 07 Nov 2008 08:24:28
+1300
Let me know if you need anything more.
** Affects: smarty (Ubuntu)
Importance: Undecided
Status: New
--
MIR: please promote smarty to Main
https://bugs.launchpad.net/bugs/327367
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list