diff -u smarty-2.6.11/debian/changelog smarty-2.6.11/debian/changelog
--- smarty-2.6.11/debian/changelog
+++ smarty-2.6.11/debian/changelog
@@ -1,3 +1,17 @@
+smarty (2.6.11-1ubuntu0.1) dapper-security; urgency=low
+
+  * SECURITY UPDATE: (LP: #202422)
+   + libs/plugins/modifier.regex_replace.php
+    - The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
+      by Serendipity (S9Y) and other products, allows attackers to call arbitrary
+      PHP functions via templates, related to a '\0' character in a search string.
+
+  * References
+   + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066
+   + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469492
+
+ -- Emanuele Gentili <emgent@emanuele-gentili.com>  Sat, 15 Mar 2008 07:33:32 +0100
+
 smarty (2.6.11-1) unstable; urgency=low
 
   * New upstream release
only in patch2:
unchanged:
--- smarty-2.6.11.orig/libs/plugins/modifier.regex_replace.php
+++ smarty-2.6.11/libs/plugins/modifier.regex_replace.php
@@ -22,6 +22,8 @@
  */
 function smarty_modifier_regex_replace($string, $search, $replace)
 {
+    if (($pos = strpos($search,"\0")) !== false)
+      $search = substr($search,0,$pos);
     if (preg_match('!\W(\w+)$!s', $search, $match) && (strpos($match[1], 'e') !== false)) {
         /* remove eval-modifier from $search */
         $search = substr($search, 0, -strlen($match[1])) . str_replace('e', '', $match[1]);