[Git][security-tracker-team/security-tracker][master] CVE-2019-9942,twig: Mark as no-dsa for Jessie.

[Markus Koschany]

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c88e6d45 by Markus Koschany at 2019-03-27T16:35:11Z
CVE-2019-9942,twig: Mark as no-dsa for Jessie.

The sandbox is not enabled by default. Workaround is to blacklist __toString().
We could upgrade to a newer upstream release of the 1.x branch but since the
package is not widely used in general and not by any sponsor I consider this to
be low priority.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -398,6 +398,7 @@ CVE-2016-10743 (hostapd before 2.6 does not prevent use of the low-quality PRNG
 CVE-2019-9942 (A sandbox information disclosure exists in Twig before 1.38.0 and 2.x  ...)
 	[experimental] - twig 2.7.1-1
 	- twig 2.6.2-2
+	[jessie] - twig <no-dsa> (low priority, sandbox disabled by default)
 	NOTE: https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077
 	NOTE: https://symfony.com/blog/twig-sandbox-information-disclosure
 CVE-2019-9941



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c88e6d452b4e4961687adfbc705cea8460934466

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c88e6d452b4e4961687adfbc705cea8460934466
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190327/f8f156fa/attachment.html>