Your message dated Wed, 18 Sep 2024 19:33:26 +0000
with message-id <e1sr0qy-009kxt...@fasolo.debian.org>
and subject line Bug#1081561: fixed in php-twig 3.5.1-1+deb12u1
has caused the Debian Bug report #1081561,
regarding php-twig: CVE-2024-45411
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1081561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: php-twig
Version: 3.8.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 3.5.1-1
Hi,
The following vulnerability was published for php-twig.
CVE-2024-45411[0]:
| Twig is a template language for PHP. Under some circumstances, the
| sandbox security checks are not run which allows user-contributed
| templates to bypass the sandbox restrictions. This vulnerability is
| fixed in 1.44.8, 2.16.1, and 3.14.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45411
https://www.cve.org/CVERecord?id=CVE-2024-45411
[1] https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66
[2]
https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php-twig
Source-Version: 3.5.1-1+deb12u1
Done: David Prévot <taf...@debian.org>
We believe that the bug you reported is fixed in the latest version of
php-twig, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1081...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated php-twig package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 14 Sep 2024 17:27:44 +0200
Source: php-twig
Architecture: source
Version: 3.5.1-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Closes: 1081561
Changes:
php-twig (3.5.1-1+deb12u1) bookworm-security; urgency=medium
.
* Fix a security issue when an included sandboxed template has been loaded
before without the sandbox context [CVE-2024-45411] (Closes: #1081561)
* Track bookworm
Checksums-Sha1:
2abff8e739317c2a30141076d7267e06fd7a2120 2910 php-twig_3.5.1-1+deb12u1.dsc
06e0762b78fb6770e676f1f2296932497b2a331e 204292 php-twig_3.5.1.orig.tar.xz
86ef73f65186e0bd4b180827604b16ff3cf9fa57 19632
php-twig_3.5.1-1+deb12u1.debian.tar.xz
07f722c7ed50e313e02b76ec7d174d8b099e5c82 13837
php-twig_3.5.1-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
24f2b11a267dbf75d2a0b0c7d87dbd51e735d08416c2b67ec874fbf005159aa0 2910
php-twig_3.5.1-1+deb12u1.dsc
1c6b0b85a6076bc2a96e916121dbb473a650a521b4ff82036fb7806d78dfef03 204292
php-twig_3.5.1.orig.tar.xz
3b370386cdc83879af53f6674aee446d400a8b557d157e3b3b463773b48d8bbd 19632
php-twig_3.5.1-1+deb12u1.debian.tar.xz
e591e5bde280c60a20e8b31512962efd91e03e010d82f5ac40a110a503cc9b55 13837
php-twig_3.5.1-1+deb12u1_amd64.buildinfo
Files:
8a4a5a7e630583ac2978a5f2a73aad41 2910 php optional php-twig_3.5.1-1+deb12u1.dsc
c0806078521841463715c7ddfad7b9ee 204292 php optional php-twig_3.5.1.orig.tar.xz
d53a48d78180d2574d82aa9c862be173 19632 php optional
php-twig_3.5.1-1+deb12u1.debian.tar.xz
e2e1bb9d881e8816f08940d2f38986c5 13837 php optional
php-twig_3.5.1-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmbnJMcSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08gT0IAIO7vcyhWqxZA66ccNdIQc4qfNTK1TiZ
iWPUDPE+fzdm1EqF6kQpnJLpxbNeyNSoaJlIbQtXZGiSDeaDr6CAppVr3thk/M2S
y/jNCQUBc8+Uvncl6d+cyPtCcjCLPFGKMBtxRrQ4eRozACwJDvvx/FHLEk7V0uG8
MS4uymd1IHyQyX2AtBmwIaCvk041JC2bbS9ADCPDVlRE6f8mRnbGxljUaEMvpaif
w6dKWKzjSw4ytW3oxB05K3yk0zN6yG1fGn8LBXJMVekHf/lzYMdeY65aOdOPWrSM
0jE3T5HNw66UTanKUFZKB9DYV00NsN/USdszUM+mkLNjDSG8Ev6PuSs=
=hQZf
-----END PGP SIGNATURE-----
pgpP28vMmViYT.pgp
Description: PGP signature
--- End Message ---
