Your message dated Tue, 02 Jun 2026 19:17:19 +0000
with message-id <[email protected]>
and subject line Bug#1086884: fixed in php-twig 3.5.1-1+deb12u2
has caused the Debian Bug report #1086884,
regarding php-twig: CVE-2024-51754 CVE-2024-51755
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1086884: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086884
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php-twig
Version: 3.14.0-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for php-twig.
CVE-2024-51754[0]:
| Twig is a template language for PHP. In a sandbox, an attacker can
| call `__toString()` on an object even if the `__toString()` method
| is not allowed by the security policy when the object is part of an
| array or an argument list (arguments to a function or a filter for
| instance). This issue has been patched in versions 3.11.2 and
| 3.14.1. All users are advised to upgrade. There are no known
| workarounds for this issue.
CVE-2024-51755[1]:
| Twig is a template language for PHP. In a sandbox, and attacker can
| access attributes of Array-like objects as they were not checked by
| the security policy. They are now checked via the property policy
| and the `__isset()` method is now called after the security check.
| This is a BC break. This issue has been patched in versions 3.11.2
| and 3.14.1. All users are advised to upgrade. There are no known
| workarounds for this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-51754
https://www.cve.org/CVERecord?id=CVE-2024-51754
https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
[1] https://security-tracker.debian.org/tracker/CVE-2024-51755
https://www.cve.org/CVERecord?id=CVE-2024-51755
https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php-twig
Source-Version: 3.5.1-1+deb12u2
Done: David Prévot <[email protected]>
We believe that the bug you reported is fixed in the latest version of
php-twig, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated php-twig package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jun 2026 05:22:19 +0200
Source: php-twig
Architecture: source
Version: 3.5.1-1+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: David Prévot <[email protected]>
Closes: 1086884
Changes:
php-twig (3.5.1-1+deb12u2) bookworm-security; urgency=medium
.
* Backport security fixes from upstream
- Fix sandbox handling for __toString() [CVE-2024-51754]
(Closes: #1086884)
- Pre-escape HTML input on the `spaceless` [CVE-2026-46628]
- Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter`
[CVE-2026-46629]
- Fix sandbox bypass: PHP code injection via {% use %} template name
[CVE-2026-46633]
- Fix XSS and pre-escape input on HTML-emitting filters in the extras
[CVE-2026-46637]
- [Profiler] Escape template and profile names in `HtmlDumper`
[CVE-2026-47730]
* Update expected output with php-symfony-intl latest update
Checksums-Sha1:
44e1668f485bdc8dc42a4d2264072bf964c2ed14 2910 php-twig_3.5.1-1+deb12u2.dsc
a7c3f886bff99952262bb9b3bab9fd62c2fadaf5 26476
php-twig_3.5.1-1+deb12u2.debian.tar.xz
3854c1a47a7d96a0a192a1e81b627bf870abf7be 14295
php-twig_3.5.1-1+deb12u2_amd64.buildinfo
Checksums-Sha256:
65e9b2f450d3093b058f5dbab926fb5577e595dbd98b1b1c8e86e413c6f53342 2910
php-twig_3.5.1-1+deb12u2.dsc
9497fd3c1c8ad90e38a8e772e33ab2c0c9815318ad116e3988c965c846620c21 26476
php-twig_3.5.1-1+deb12u2.debian.tar.xz
d0a3c69e8c25cce58f9cf2b99107f98924b8efac3192712a20366e037b818cb3 14295
php-twig_3.5.1-1+deb12u2_amd64.buildinfo
Files:
b8a51bb78d260303637e9443c5ff5e6b 2910 php optional php-twig_3.5.1-1+deb12u2.dsc
80a9984d1f60e3f754fbc75169490515 26476 php optional
php-twig_3.5.1-1+deb12u2.debian.tar.xz
edb32a0afb6c03980c434b0cc94eb485 14295 php optional
php-twig_3.5.1-1+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoewCoSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08ZM8H+wTTGVJsuZQtcfkuueXBDfWyR76JHYAe
8lJDSnGZ5O+1Sm5ucjPbDvEKKI8uTTAQJDE+ppAm95evx1yaay2JZXid8JNnzRS7
Cg6tXF7OiypM8EUK6YvCYYuqIZ37CiRc3zr4m/4/CMh9DeOaKzj1W5WH5CVuM5UX
4KTWgqI0tKNx7En+wv0BtKiBy1SM/D5vlKwDSkQTx3r6FyfiqS+EaNNSGOPCWj69
x2zpXuhVR/hXHfIgSv/kOitbiR9NXdMt27oEczTg/a3N0Fn4eUfkRfzIyCjZIHjn
0QA3YYNJQGqcj33sWwCammnPvvgsi/rtx8jkAaoUI/kjwKDyvo/544Q=
=iwHk
-----END PGP SIGNATURE-----
pgpdxR1evYN5r.pgp
Description: PGP signature
--- End Message ---
