Category Archives: Advisories

php-Smarty-3.1.47-1.fc37

Read Time:3 Minute, 58 Second

FEDORA-2022-d5fc9dcdd7

Packages in this update:

php-Smarty-3.1.47-1.fc37

Update description:

[3.1.47] – 2022-09-14

Security

Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks #454

Fixed

Fixed use of rand() without a parameter in math function #794
Fixed unselected year/month/day not working in html_select_date #395

[3.1.46] – 2022-08-01

Fixed

Fixed problems with smarty_mb_str_replace #549
Fixed second parameter of unescape modifier not working #777

[3.1.45] – 2022-05-17

Security

Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221

Fixed

Math equation max(x, y) didn’t work anymore #721

[3.1.44] – 2022-01-18

Fixed

Fixed illegal characters bug in math function security check #702

[3.1.43] – 2022-01-10

Security

Prevent evasion of the static_classes security policy. This addresses CVE-2021-21408

[3.1.42] – 2022-01-10

Security

Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454

[3.1.41] – 2022-01-09

Security

Rewrote the mailto function to not use eval when encoding with javascript

[3.1.40] – 2021-10-13

Changed

modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649

Security

More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov

[3.1.39] – 2021-02-17

Security

Prevent access to $smarty.template_object in sandbox mode. This addresses CVE-2021-26119.
Fixed code injection vulnerability by using illegal function names in {function name=’blah’}{/function}. This addresses CVE-2021-26120.

[3.1.38] – 2021-01-08

Fixed

Smarty::SMARTY_VERSION wasn’t updated https://github.com/smarty-php/smarty/issues/628

[3.1.37] – 2021-01-07

Changed

Changed error handlers and handling of undefined constants for php8-compatibility (set $errcontext argument optional) https://github.com/smarty-php/smarty/issues/605
Changed expected error levels in unit tests for php8-compatibility
Travis unit tests now run for all php versions >= 5.3, including php8
Travis runs on Xenial where possible

Fixed

PHP5.3 compatibility fixes
Brought lexer source functionally up-to-date with compiled version

[3.1.36] – 2020-04-14

Fixed

Smarty::SMARTY_VERSION wasn’t updated in v3.1.35 https://github.com/smarty-php/smarty/issues/584

[3.1.35] – 2020-04-14

remove whitespaces after comments https://github.com/smarty-php/smarty/issues/447
fix foreachelse on arrayiterators https://github.com/smarty-php/smarty/issues/506
fix files contained in git export archive for package maintainers https://github.com/smarty-php/smarty/issues/325
throw SmartyException when setting caching attributes for cacheable plugin https://github.com/smarty-php/smarty/issues/457
fix errors that occured where isset was replaced with null check such as https://github.com/smarty-php/smarty/issues/453
unit tests are now in the repository

3.1.34 release – 05.11.2019

13.01.2020
– fix typo in exception message (JercSi)
– fix typehint warning with callable (bets4breakfast)
– add travis badge and compatability info to readme (matks)
– fix stdClass cast when compiling foreach (carpii)
– fix wrong set/get methods for memcached (IT-Experte)
– fix pborm assigning value to object variables in smarty_internal_compile_assign (Hunman)
– exclude error_reporting.ini from git export (glensc)

3.1.34-dev-6 –

30.10.2018
– bugfix a nested subblock in an inheritance child template was not replace by
outer level block with same name in same child template https://github.com/smarty-php/smarty/issues/500

29.10.2018
– bugfix Smarty::$php_handling == PHP_PASSTHRU (default) did eat the “n” (newline) character if it did directly followed
a PHP tag like “?>” or other https://github.com/smarty-php/smarty/issues/501

14.10.2018
– bugfix autoloader exit shortcut https://github.com/smarty-php/smarty/issues/467

11.10.2018
– bugfix {insert} not works when caching is enabled and included template is present
https://github.com/smarty-php/smarty/issues/496
– bugfix in date-format modifier; NULL at date string or default_date did not produce correct output
https://github.com/smarty-php/smarty/pull/458

09.10.2018
– bugfix fix of 26.8.2017 https://github.com/smarty-php/smarty/issues/327
modifier is applied to sum expression https://github.com/smarty-php/smarty/issues/491
– bugfix indexed arrays could not be defined “array(…)””

18.09.2018
– bugfix large plain text template sections without a Smarty tag > 700kB could
could fail in version 3.1.32 and 3.1.33 because PHP preg_match() restrictions
https://github.com/smarty-php/smarty/issues/488

Read More

php-Smarty-3.1.47-1.fc36

Read Time:3 Minute, 58 Second

FEDORA-2022-52154efd61

Packages in this update:

php-Smarty-3.1.47-1.fc36

Update description:

[3.1.47] – 2022-09-14

Security

Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks #454

Fixed

Fixed use of rand() without a parameter in math function #794
Fixed unselected year/month/day not working in html_select_date #395

[3.1.46] – 2022-08-01

Fixed

Fixed problems with smarty_mb_str_replace #549
Fixed second parameter of unescape modifier not working #777

[3.1.45] – 2022-05-17

Security

Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221

Fixed

Math equation max(x, y) didn’t work anymore #721

[3.1.44] – 2022-01-18

Fixed

Fixed illegal characters bug in math function security check #702

[3.1.43] – 2022-01-10

Security

Prevent evasion of the static_classes security policy. This addresses CVE-2021-21408

[3.1.42] – 2022-01-10

Security

Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454

[3.1.41] – 2022-01-09

Security

Rewrote the mailto function to not use eval when encoding with javascript

[3.1.40] – 2021-10-13

Changed

modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649

Security

More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov

[3.1.39] – 2021-02-17

Security

Prevent access to $smarty.template_object in sandbox mode. This addresses CVE-2021-26119.
Fixed code injection vulnerability by using illegal function names in {function name=’blah’}{/function}. This addresses CVE-2021-26120.

[3.1.38] – 2021-01-08

Fixed

Smarty::SMARTY_VERSION wasn’t updated https://github.com/smarty-php/smarty/issues/628

[3.1.37] – 2021-01-07

Changed

Changed error handlers and handling of undefined constants for php8-compatibility (set $errcontext argument optional) https://github.com/smarty-php/smarty/issues/605
Changed expected error levels in unit tests for php8-compatibility
Travis unit tests now run for all php versions >= 5.3, including php8
Travis runs on Xenial where possible

Fixed

PHP5.3 compatibility fixes
Brought lexer source functionally up-to-date with compiled version

[3.1.36] – 2020-04-14

Fixed

Smarty::SMARTY_VERSION wasn’t updated in v3.1.35 https://github.com/smarty-php/smarty/issues/584

[3.1.35] – 2020-04-14

remove whitespaces after comments https://github.com/smarty-php/smarty/issues/447
fix foreachelse on arrayiterators https://github.com/smarty-php/smarty/issues/506
fix files contained in git export archive for package maintainers https://github.com/smarty-php/smarty/issues/325
throw SmartyException when setting caching attributes for cacheable plugin https://github.com/smarty-php/smarty/issues/457
fix errors that occured where isset was replaced with null check such as https://github.com/smarty-php/smarty/issues/453
unit tests are now in the repository

3.1.34 release – 05.11.2019

13.01.2020
– fix typo in exception message (JercSi)
– fix typehint warning with callable (bets4breakfast)
– add travis badge and compatability info to readme (matks)
– fix stdClass cast when compiling foreach (carpii)
– fix wrong set/get methods for memcached (IT-Experte)
– fix pborm assigning value to object variables in smarty_internal_compile_assign (Hunman)
– exclude error_reporting.ini from git export (glensc)

3.1.34-dev-6 –

30.10.2018
– bugfix a nested subblock in an inheritance child template was not replace by
outer level block with same name in same child template https://github.com/smarty-php/smarty/issues/500

29.10.2018
– bugfix Smarty::$php_handling == PHP_PASSTHRU (default) did eat the “n” (newline) character if it did directly followed
a PHP tag like “?>” or other https://github.com/smarty-php/smarty/issues/501

14.10.2018
– bugfix autoloader exit shortcut https://github.com/smarty-php/smarty/issues/467

11.10.2018
– bugfix {insert} not works when caching is enabled and included template is present
https://github.com/smarty-php/smarty/issues/496
– bugfix in date-format modifier; NULL at date string or default_date did not produce correct output
https://github.com/smarty-php/smarty/pull/458

09.10.2018
– bugfix fix of 26.8.2017 https://github.com/smarty-php/smarty/issues/327
modifier is applied to sum expression https://github.com/smarty-php/smarty/issues/491
– bugfix indexed arrays could not be defined “array(…)””

18.09.2018
– bugfix large plain text template sections without a Smarty tag > 700kB could
could fail in version 3.1.32 and 3.1.33 because PHP preg_match() restrictions
https://github.com/smarty-php/smarty/issues/488

Read More

php-Smarty-3.1.47-1.el7

Read Time:3 Minute, 58 Second

FEDORA-EPEL-2022-576e858e93

Packages in this update:

php-Smarty-3.1.47-1.el7

Update description:

[3.1.47] – 2022-09-14

Security

Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks #454

Fixed

Fixed use of rand() without a parameter in math function #794
Fixed unselected year/month/day not working in html_select_date #395

[3.1.46] – 2022-08-01

Fixed

Fixed problems with smarty_mb_str_replace #549
Fixed second parameter of unescape modifier not working #777

[3.1.45] – 2022-05-17

Security

Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221

Fixed

Math equation max(x, y) didn’t work anymore #721

[3.1.44] – 2022-01-18

Fixed

Fixed illegal characters bug in math function security check #702

[3.1.43] – 2022-01-10

Security

Prevent evasion of the static_classes security policy. This addresses CVE-2021-21408

[3.1.42] – 2022-01-10

Security

Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454

[3.1.41] – 2022-01-09

Security

Rewrote the mailto function to not use eval when encoding with javascript

[3.1.40] – 2021-10-13

Changed

modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649

Security

More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov

[3.1.39] – 2021-02-17

Security

Prevent access to $smarty.template_object in sandbox mode. This addresses CVE-2021-26119.
Fixed code injection vulnerability by using illegal function names in {function name=’blah’}{/function}. This addresses CVE-2021-26120.

[3.1.38] – 2021-01-08

Fixed

Smarty::SMARTY_VERSION wasn’t updated https://github.com/smarty-php/smarty/issues/628

[3.1.37] – 2021-01-07

Changed

Changed error handlers and handling of undefined constants for php8-compatibility (set $errcontext argument optional) https://github.com/smarty-php/smarty/issues/605
Changed expected error levels in unit tests for php8-compatibility
Travis unit tests now run for all php versions >= 5.3, including php8
Travis runs on Xenial where possible

Fixed

PHP5.3 compatibility fixes
Brought lexer source functionally up-to-date with compiled version

[3.1.36] – 2020-04-14

Fixed

Smarty::SMARTY_VERSION wasn’t updated in v3.1.35 https://github.com/smarty-php/smarty/issues/584

[3.1.35] – 2020-04-14

remove whitespaces after comments https://github.com/smarty-php/smarty/issues/447
fix foreachelse on arrayiterators https://github.com/smarty-php/smarty/issues/506
fix files contained in git export archive for package maintainers https://github.com/smarty-php/smarty/issues/325
throw SmartyException when setting caching attributes for cacheable plugin https://github.com/smarty-php/smarty/issues/457
fix errors that occured where isset was replaced with null check such as https://github.com/smarty-php/smarty/issues/453
unit tests are now in the repository

3.1.34 release – 05.11.2019

13.01.2020
– fix typo in exception message (JercSi)
– fix typehint warning with callable (bets4breakfast)
– add travis badge and compatability info to readme (matks)
– fix stdClass cast when compiling foreach (carpii)
– fix wrong set/get methods for memcached (IT-Experte)
– fix pborm assigning value to object variables in smarty_internal_compile_assign (Hunman)
– exclude error_reporting.ini from git export (glensc)

3.1.34-dev-6 –

30.10.2018
– bugfix a nested subblock in an inheritance child template was not replace by
outer level block with same name in same child template https://github.com/smarty-php/smarty/issues/500

29.10.2018
– bugfix Smarty::$php_handling == PHP_PASSTHRU (default) did eat the “n” (newline) character if it did directly followed
a PHP tag like “?>” or other https://github.com/smarty-php/smarty/issues/501

14.10.2018
– bugfix autoloader exit shortcut https://github.com/smarty-php/smarty/issues/467

11.10.2018
– bugfix {insert} not works when caching is enabled and included template is present
https://github.com/smarty-php/smarty/issues/496
– bugfix in date-format modifier; NULL at date string or default_date did not produce correct output
https://github.com/smarty-php/smarty/pull/458

09.10.2018
– bugfix fix of 26.8.2017 https://github.com/smarty-php/smarty/issues/327
modifier is applied to sum expression https://github.com/smarty-php/smarty/issues/491
– bugfix indexed arrays could not be defined “array(…)””

18.09.2018
– bugfix large plain text template sections without a Smarty tag > 700kB could
could fail in version 3.1.32 and 3.1.33 because PHP preg_match() restrictions
https://github.com/smarty-php/smarty/issues/488

Read More