Your message dated Sat, 14 Sep 2024 16:04:57 +0000
with message-id <e1spvgb-005fke...@fasolo.debian.org>
and subject line Bug#1081561: fixed in php-twig 3.8.0-4
has caused the Debian Bug report #1081561,
regarding php-twig: CVE-2024-45411
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1081561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: php-twig
Version: 3.8.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 3.5.1-1
Hi,
The following vulnerability was published for php-twig.
CVE-2024-45411[0]:
| Twig is a template language for PHP. Under some circumstances, the
| sandbox security checks are not run which allows user-contributed
| templates to bypass the sandbox restrictions. This vulnerability is
| fixed in 1.44.8, 2.16.1, and 3.14.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45411
https://www.cve.org/CVERecord?id=CVE-2024-45411
[1] https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66
[2]
https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php-twig
Source-Version: 3.8.0-4
Done: David Prévot <taf...@debian.org>
We believe that the bug you reported is fixed in the latest version of
php-twig, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1081...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated php-twig package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 14 Sep 2024 17:08:32 +0200
Source: php-twig
Architecture: source
Version: 3.8.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Closes: 1081561
Changes:
php-twig (3.8.0-4) unstable; urgency=medium
.
* Fix a security issue when an included sandboxed template has been loaded
before without the sandbox context [CVE-2024-45411] (Closes: #1081561)
* Track 3.8 since phpmyadmin forces it (ref. #1081725)
Checksums-Sha1:
e8731e1bdf227cd65443413111e93c2eae979679 2837 php-twig_3.8.0-4.dsc
3e50430ab044d9ab4802dbdf8a53d23460e1af08 21456 php-twig_3.8.0-4.debian.tar.xz
43edfef057fdff422d45cbf012e0b9d7ebcff4b5 13617 php-twig_3.8.0-4_amd64.buildinfo
Checksums-Sha256:
0428ca1c3c48f0fe00c53bbb295c2ee2540cb2e6b3460cbdfcc1076b4c8d6029 2837
php-twig_3.8.0-4.dsc
402ebbf8b3a392dce9c37c2609bd0d4f38d1e1f874d722c8dad57f5aa2c8801d 21456
php-twig_3.8.0-4.debian.tar.xz
2efbcef53e9292c8e6e6c32f8be2e3abd3716003a9390a83e9663b11161d2a6d 13617
php-twig_3.8.0-4_amd64.buildinfo
Files:
9cf54086ab4bb6f96c9d0a334b9570b9 2837 php optional php-twig_3.8.0-4.dsc
b876c3a9a98fcb28ac27d755baab441c 21456 php optional
php-twig_3.8.0-4.debian.tar.xz
1432d5036a3d81024c8f1afdc5773ae6 13617 php optional
php-twig_3.8.0-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmblrioSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r086HAH/ik3zcKaHVKsK7lHNRXP8p3RhCZ//aHC
Yrj7nRmC3jcZIr9QO++U1Uv7jMpLNFaxwnFOeMECKNmnQ74iMxbh0oMtJ2HLp33W
1es36YkZeoD7Z8DH2yvrR3+l77lfCqK2pfEMZor0Lt5M93mjGAbm0LJYL770MXlC
n4EaCwP4xGLNYzeXuGJ8y6uAZmnlu4blTIQS5ugvO61x/3cxP13Att2fHNTj2Npm
VZro4WYGk23ib0jhGMVTr60+kBmXprIdPFATLsljw5z83DE5OzjX1dswKUf23Ya7
lU+JdYxWjv8K/XHIkQxO/+QEJDxzrNS3wqOciefvTAc6DQiSqenMrls=
=LYuK
-----END PGP SIGNATURE-----
pgpMQFejXy8pD.pgp
Description: PGP signature
--- End Message ---
