========================================================================== Ubuntu Security Notice USN-7158-1 December 12, 2024 smarty3 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Smarty. Software Description: - smarty3: The compiling PHP template engine Details: It was discovered that Smarty incorrectly handled query parameters in requests. An attacker could possibly use this issue to inject arbitrary Javascript code, resulting in denial of service or potential execution of arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2018-25047, CVE-2023-28447) It was discovered that Smarty did not properly sanitize user input when generating templates. An attacker could, through PHP injection, possibly use this issue to execute arbitrary code. (CVE-2024-35226) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 smarty3 3.1.48-1ubuntu0.24.10.1 Ubuntu 24.04 LTS smarty3 3.1.48-1ubuntu0.24.04.1 Ubuntu 22.04 LTS smarty3 3.1.39-2ubuntu1.22.04.2 Ubuntu 20.04 LTS smarty3 3.1.34+20190228.1.c9f0de05+selfpack1-1ubuntu0.1 Ubuntu 18.04 LTS smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7158-1 CVE-2018-25047, CVE-2023-28447, CVE-2024-35226 Package Information: https://launchpad.net/ubuntu/+source/smarty3/3.1.48-1ubuntu0.24.10.1 https://launchpad.net/ubuntu/+source/smarty3/3.1.48-1ubuntu0.24.04.1 https://launchpad.net/ubuntu/+source/smarty3/3.1.39-2ubuntu1.22.04.2 https://launchpad.net/ubuntu/+source/smarty3/3.1.34+20190228.1.c9f0de05+selfpack1-1ubuntu0.1