[pkg-php-pear] Bug#925319: unblock: twig/2.6.2-2
David Prévot
taffit at debian.org
Sat Mar 23 00:22:39 GMT 2019
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
Please unblock package twig, it backports a security fix (Sandbox
Information Disclosure) from the latest (2.7) version.
https://symfony.com/blog/twig-sandbox-information-disclosure
Unfortunately, upstream moved from PSR-0 to PSR-4 prior to fixing this
security issue, so I had to backport the fix instead of simply
cherry-pick the commit. I managed to backport the fixes of the testsuite
too to help in the confidence that the fix is correct. 2.7 is in
experimental, I can upload this version to unstable if you prefer.
Ditto, upstream 1.38 moved from PSR-0 to PSR-4, and backporting the fix
to 1.24 is even more tedious (some structures seem to have changed in
between), so I’m not yet proposing a stretch-update (the security-team
is X-Debbugs-CCed on this report, so they can share their point of view
on this request).
unblock twig/2.6.2-2
Thanks in advance.
Regards
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twig.diff
Type: text/x-diff
Size: 15569 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20190322/b8207438/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20190322/b8207438/attachment.sig>
More information about the pkg-php-pear
mailing list