Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!aioe.org!news.servidellagleba.it!bofh.it!news.nic.it!robomod From: Sebastien Delafond Newsgroups: linux.debian.announce.security Subject: [SECURITY] [DSA 5246-1] php-twig security update Date: Wed, 05 Oct 2022 07:40:01 +0200 Message-ID: X-Mailbox-Line: From debian-security-announce-request@lists.debian.org Wed Oct 5 05:37:49 2022 Old-Return-Path: X-Amavis-Spam-Status: No, score=-113.573 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DIGITS_LETTERS=1, DKIMWL_WL_HIGH=-0.083, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FVGT_m_MULTI_ODD=0.02, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_MED=-2.3, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100] autolearn=ham autolearn_force=no Old-Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.seger; h=Date:Message-Id:Subject:To:From:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: In-Reply-To:References; bh=sGoLgDU0t9eOhU2bx8X35cKyMuOfd51zB21fQ5ooP5c=; b=uj qlwBrPdNB3dfz0sxA+5HhL1Eo5j1ec0Ylfeuj0+s0Zgb0vF2vi/H057aTkiLzZxh9SLulis9meXLD 0wzPUdTBKMchZ/As6vycBc2zfJE8pEAoCPTiCEUEi3XIVT04jZBRRuwKtuaHblg2Wuv7aVnbqncvi aRbzVO728cGWG/it3yOuvE6btxOIP+X+JUVzKJZFPoO8aSF/GMaqB/SFHb2st5ome1+UwDc7iNr3a UN1O1+gbpFQ9sdXfpan/8v+lZ65QmGIZZ9GyXuKdQVbW+cv4LJajiaYJ3IdhceE+PbGh2KWlXWRnm TFJrXzu9Ta/l+klbVRTzD0N0dj++rJjQ==; X-Debian: PGP check passed for security officers Priority: urgent Reply-To: debian-security-announce-request@lists.debian.org X-Mailing-List: archive/latest/4146 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/E1ofx5v-00H4BD-LC@seger.debian.org Approved: robomod@news.nic.it Lines: 42 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Wed, 05 Oct 2022 05:37:23 +0000 X-Original-Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5246-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond October 04, 2022 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php-twig CVE ID : CVE-2022-39261 Debian Bug : 1020991 Marlon Starkloff discovered that twig, a template engine for PHP, did not correctly enforce sandboxing. This would allow a malicious user to execute arbitrary code. For the stable distribution (bullseye), this problem has been fixed in version 2.14.3-1+deb11u2. We recommend that you upgrade your php-twig packages. For the detailed security status of php-twig please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-twig Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmM9FmYACgkQEL6Jg/PV nWSFYwgAoCAOajgv28W7jI5bDu/XCf3h/kmFfniaes3oEQd8H26pIHOOjLm5F4hc w1c6soR6UyuxkkpiIMucgqcRXXzWEgWg6fLb2PHe7Msot8aiDdH/u/KQfCwhJtQI alGalArG5IG73A/wSAo8GcH/f04u5wM8lOn/p821k9n0e4/9DgMA225KWeNYSrZJ 1FG5Q5pVl4+BEsyz2OEvSjgc/XcNOimQAk4Xauajab6eTMGCGdAnz7Tak4CDg7Q/ oCvu1sA2l+MS7G3fBu+nrK05EmQ2kmv57WgVHsqCli25crTbC13Y/k558DeoXp04 ocIzEOC1Bj/D9tKW+VONeJLutOluIA== =ZL2h -----END PGP SIGNATURE-----