[Git][security-tracker-team/security-tracker][master] 2 commits: Remove twig from dla-/dsa-needed.txt.

Markus Koschany (@apo) apo at debian.org
Fri May 6 15:08:02 BST 2022 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3df8707b by Markus Koschany at 2022-05-06T16:00:08+02:00
Remove twig from dla-/dsa-needed.txt.

The arrow function was first introduced in Twig 2.12. Stretch and
Buster are not affected.

- - - - -
a832eed5 by Markus Koschany at 2022-05-06T16:04:30+02:00
CVE-2022-23614,twig: Stretch and Buster are not affected

The vulnerable code was introduced later.

- - - - -


3 changed files:

- data/CVE/list
- data/dla-needed.txt
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -19676,6 +19676,8 @@ CVE-2022-23614 (Twig is an open source template language for PHP. When in a sand
 	{DSA-5107-1}
 	- php-twig 3.3.8-1
 	- twig <removed>
+	[buster] - twig <not-affected> (The vulnerable code was introduced later)
+	[stretch] - twig <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v
 	NOTE: https://github.com/twigphp/Twig/pull/3641
 	NOTE: https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5 (v3.3.8)


=====================================
data/dla-needed.txt
=====================================
@@ -179,9 +179,6 @@ tiff (Utkarsh)
   NOTE: 20220419: new CVE reported; waiting to see if there are more. (utkarsh)
   NOTE: 20220502: will collate the new CVEs and update the package. (utkarsh)
 --
-twig (Markus Koschany)
-  NOTE: 20220402: cf. DSA-5107-1; similar code in lib/Twig/Extension/Core.php (Beuc)
---
 unzip
   NOTE: 20220319: no patches yet but reproducible (apo)
   NOTE: 20220429: CVE-2022-0530: reported #1010355 with a proposed patch (enrico)


=====================================
data/dsa-needed.txt
=====================================
@@ -54,8 +54,6 @@ sox
 trafficserver (jmm)
   wait until status for CVE-2021-38161 is clarified (upstream patch got reverted)
 --
-twig/oldstable
---
 unzip
   no details public yet
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9a8e2b9590820b623fe62835ec21d119a7b9921e...a832eed5760816c703cea8627e6feeb38a1656c7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9a8e2b9590820b623fe62835ec21d119a7b9921e...a832eed5760816c703cea8627e6feeb38a1656c7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220506/7575a512/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list