Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c88e6d45 by Markus Koschany at 2019-03-27T16:35:11Z
CVE-2019-9942,twig: Mark as no-dsa for Jessie.
The sandbox is not enabled by default. Workaround is to blacklist __toString().
We could upgrade to a newer upstream release of the 1.x branch but since the
package is not widely used in general and not by any sponsor I consider this to
be low priority.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -398,6 +398,7 @@ CVE-2016-10743 (hostapd before 2.6 does not prevent use of
the low-quality PRNG
CVE-2019-9942 (A sandbox information disclosure exists in Twig before 1.38.0
and 2.x ...)
[experimental] - twig 2.7.1-1
- twig 2.6.2-2
+ [jessie] - twig <no-dsa> (low priority, sandbox disabled by default)
NOTE:
https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077
NOTE: https://symfony.com/blog/twig-sandbox-information-disclosure
CVE-2019-9941
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c88e6d452b4e4961687adfbc705cea8460934466
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c88e6d452b4e4961687adfbc705cea8460934466
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
