[Git][security-tracker-team/security-tracker][master] twig triage for older suites

Mon Jun 1 22:05:11 BST 2026


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c075fff1 by Moritz Muehlenhoff at 2026-06-01T23:04:22+02:00
twig triage for older suites

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -4146,6 +4146,7 @@ CVE-2026-48489
 CVE-2026-46636
 	{DSA-6311-1}
 	- php-twig 3.27.0-1
+	[bookworm] - php-twig <ignored> (Minor issue, too intrusive to backport)
 	NOTE: https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders
 CVE-2026-48806
 	- php-twig 3.27.0-1
@@ -4168,6 +4169,7 @@ CVE-2026-48808
 CVE-2026-48805
 	{DSA-6311-1}
 	- php-twig 3.27.0-1
+	[bookworm] - php-twig <ignored> (Minor issue, too intrusive to backport)
 	NOTE: https://symfony.com/blog/cve-2026-48805-sandbox-state-regression-in-deprecated-internal-wrappers-in-src-resources-core-php
 CVE-2026-47770
 	- jq 1.8.1-7
@@ -7933,6 +7935,7 @@ CVE-2026-43494 (In the Linux kernel, the following vulnerability has been resolv
 CVE-2026-47732
 	{DSA-6311-1}
 	- php-twig 3.26.0-1
+	[bookworm] - php-twig <ignored> (Too intrusive to backport)
 	NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-pr2w-4gpj-cpq4
 	NOTE: https://symfony.com/blog/cve-2026-47732-sandbox-multiple-tostring-policy-bypasses-via-unguarded-string-coercion-points
 CVE-2026-46634
@@ -7950,7 +7953,7 @@ CVE-2026-46627
 CVE-2026-46635
 	{DSA-6311-1}
 	- php-twig 3.26.0-1
-	[bookworm] - php-twig <no-dsa> (Minor issue)
+	[bookworm] - php-twig <ignored> (Minor issue, too intrusive to backport)
 	NOTE: https://symfony.com/blog/cve-2026-46635-sandbox-property-allowlist-bypass-via-the-column-filter-array-column-on-objects
 	NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-vcc8-phrv-43wj
 	NOTE: Variant of CVE-2024-51755
@@ -7978,6 +7981,7 @@ CVE-2026-46637
 CVE-2026-46638
 	{DSA-6311-1}
 	- php-twig 3.26.0-1
+	[bookworm] - php-twig <ignored> (Minor issue, too intrusive to backport)
 	NOTE: https://symfony.com/blog/cve-2026-46638-sandbox-include-skips-checksecurity-on-cached-templates-incomplete-fix-for-cve-2024-45411
 CVE-2026-46639
 	- php-twig 3.26.0-1
@@ -219435,7 +219439,7 @@ CVE-2024-51755 (Twig is a template language for PHP. In a sandbox, an attacker c
 CVE-2024-51754 (Twig is a template language for PHP. In a sandbox, an attacker can cal ...)
 	{DLA-4186-1}
 	- php-twig 3.14.2-1 (bug #1086884)
-	[bookworm] - php-twig <no-dsa> (Minor issue)
+	[bookworm] - php-twig <ignored> (Minor issue, too intrusive to backport)
 	- twig <removed>
 	NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
 	NOTE: Fixed by: https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73 (v3.14.1)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c075fff1cdf8b8e584735ba262b10d57c379fbaf

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c075fff1cdf8b8e584735ba262b10d57c379fbaf
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260601/1a8645c6/attachment-0001.htm>
