Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c075fff1 by Moritz Muehlenhoff at 2026-06-01T23:04:22+02:00
twig triage for older suites
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4146,6 +4146,7 @@ CVE-2026-48489
CVE-2026-46636
{DSA-6311-1}
- php-twig 3.27.0-1
+ [bookworm] - php-twig <ignored> (Minor issue, too intrusive to backport)
NOTE:
https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders
CVE-2026-48806
- php-twig 3.27.0-1
@@ -4168,6 +4169,7 @@ CVE-2026-48808
CVE-2026-48805
{DSA-6311-1}
- php-twig 3.27.0-1
+ [bookworm] - php-twig <ignored> (Minor issue, too intrusive to backport)
NOTE:
https://symfony.com/blog/cve-2026-48805-sandbox-state-regression-in-deprecated-internal-wrappers-in-src-resources-core-php
CVE-2026-47770
- jq 1.8.1-7
@@ -7933,6 +7935,7 @@ CVE-2026-43494 (In the Linux kernel, the following
vulnerability has been resolv
CVE-2026-47732
{DSA-6311-1}
- php-twig 3.26.0-1
+ [bookworm] - php-twig <ignored> (Too intrusive to backport)
NOTE:
https://github.com/twigphp/Twig/security/advisories/GHSA-pr2w-4gpj-cpq4
NOTE:
https://symfony.com/blog/cve-2026-47732-sandbox-multiple-tostring-policy-bypasses-via-unguarded-string-coercion-points
CVE-2026-46634
@@ -7950,7 +7953,7 @@ CVE-2026-46627
CVE-2026-46635
{DSA-6311-1}
- php-twig 3.26.0-1
- [bookworm] - php-twig <no-dsa> (Minor issue)
+ [bookworm] - php-twig <ignored> (Minor issue, too intrusive to backport)
NOTE:
https://symfony.com/blog/cve-2026-46635-sandbox-property-allowlist-bypass-via-the-column-filter-array-column-on-objects
NOTE:
https://github.com/twigphp/Twig/security/advisories/GHSA-vcc8-phrv-43wj
NOTE: Variant of CVE-2024-51755
@@ -7978,6 +7981,7 @@ CVE-2026-46637
CVE-2026-46638
{DSA-6311-1}
- php-twig 3.26.0-1
+ [bookworm] - php-twig <ignored> (Minor issue, too intrusive to backport)
NOTE:
https://symfony.com/blog/cve-2026-46638-sandbox-include-skips-checksecurity-on-cached-templates-incomplete-fix-for-cve-2024-45411
CVE-2026-46639
- php-twig 3.26.0-1
@@ -219435,7 +219439,7 @@ CVE-2024-51755 (Twig is a template language for PHP.
In a sandbox, an attacker c
CVE-2024-51754 (Twig is a template language for PHP. In a sandbox, an attacker
can cal ...)
{DLA-4186-1}
- php-twig 3.14.2-1 (bug #1086884)
- [bookworm] - php-twig <no-dsa> (Minor issue)
+ [bookworm] - php-twig <ignored> (Minor issue, too intrusive to backport)
- twig <removed>
NOTE:
https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
NOTE: Fixed by:
https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73
(v3.14.1)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c075fff1cdf8b8e584735ba262b10d57c379fbaf
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c075fff1cdf8b8e584735ba262b10d57c379fbaf
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
