Bug#1081561: marked as done (php-twig: CVE-2024-45411)

[Debian Bug Tracking System]

Your message dated Sat, 14 Sep 2024 08:39:40 +0000
with message-id <e1spojg-0046tx...@fasolo.debian.org>
and subject line Bug#1081561: fixed in php-twig 3.14.0-1
has caused the Debian Bug report #1081561,
regarding php-twig: CVE-2024-45411
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1081561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: php-twig
Version: 3.8.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 3.5.1-1

Hi,

The following vulnerability was published for php-twig.

CVE-2024-45411[0]:
| Twig is a template language for PHP. Under some circumstances, the
| sandbox security checks are not run which allows user-contributed
| templates to bypass the sandbox restrictions. This vulnerability is
| fixed in 1.44.8, 2.16.1, and 3.14.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-45411
    https://www.cve.org/CVERecord?id=CVE-2024-45411
[1] https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66
[2] 
https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: php-twig
Source-Version: 3.14.0-1
Done: David Prévot <taf...@debian.org>

We believe that the bug you reported is fixed in the latest version of
php-twig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1081...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated php-twig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 14 Sep 2024 09:40:39 +0200
Source: php-twig
Architecture: source
Version: 3.14.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Closes: 1081561
Changes:
 php-twig (3.14.0-1) experimental; urgency=medium
 .
   [ Fabien Potencier ]
   * Deprecate Environment::mergeGlobals()
   * Add the possibility to reset globals
   * Fix a security issue when an included sandboxed template has been loaded
     before without the sandbox context [CVE-2024-45411] (Closes: #1081561)
   * Prepare the 3.14.0 release
Checksums-Sha1:
 1ed560506df5cd01c425e5694e0810afbb5e5146 2872 php-twig_3.14.0-1.dsc
 210a262dc07928c21b4a2f2b03c2f30494d95522 233576 php-twig_3.14.0.orig.tar.xz
 092f2d8cc5ccba93a36c4df7c9e83f80b85646e0 20900 php-twig_3.14.0-1.debian.tar.xz
 023422a91bf698006122485393499dc40d67304d 13655 
php-twig_3.14.0-1_amd64.buildinfo
Checksums-Sha256:
 8c91c5afc0704bf5398052e18b5e15398968f73b839da8fd6a45d6ee752ad68f 2872 
php-twig_3.14.0-1.dsc
 204eda9f318538f6db72f382ec648a8e256ad9ef5b26e019137381a2cae70bad 233576 
php-twig_3.14.0.orig.tar.xz
 1fcad9c291b97989fce127a1a54cb8585f9b0c7b4faa40587b2be9431f679e92 20900 
php-twig_3.14.0-1.debian.tar.xz
 0eb9e2d99ce5afea9305f08beb5abcc1d422ae6559dfa4e8dbdcf449604bdfb5 13655 
php-twig_3.14.0-1_amd64.buildinfo
Files:
 76adbc46727f5ba8d6d422587eccb67c 2872 php optional php-twig_3.14.0-1.dsc
 7cffb8544e6552f1828e84810ebc1974 233576 php optional 
php-twig_3.14.0.orig.tar.xz
 85d4845d70145e9ed2c8e5a4f8246cf1 20900 php optional 
php-twig_3.14.0-1.debian.tar.xz
 8f2f5962574a018d885a9ac23454e60d 13655 php optional 
php-twig_3.14.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmblQsgSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r084v8IAIAerIfqG0rlQbLvE/IbHsctsXB0VLZe
X5hMYHrv4lCvMdjteamuhO3vyZg41fE4TtNbdYDer7cQnUIt/QSSLGn+mr48AUdu
gt9FrzP+Z6FqyEonvNbiGgJhlcRSoXxTNj+eJtBHadrWPE8fo3MHLyFvfGoEhSKr
a3rzZrTQGhSPbtWY5tWNbFqxU/Tv1Kg8H62zxq8VMtwzkM5IesE7O3OwmJZW9Y2s
s3l59SAt7OlbABOARkYfyVnhK2JePs0U9rRQTAihlZo/7gqwpfjrXfcaGTeQ14B2
/kbMv7fBcu8St72fFdcxc8K4TRJykOSjMhMbB8l/p8j4zAuwIDaiknU=
=/LX8
-----END PGP SIGNATURE-----

pgpacDnqJ_RZI.pgp
Description: PGP signature

--- End Message ---