[pkg-php-pear] Bug#925319: unblock: twig/2.6.2-2

David Prévot taffit at debian.org
Sat Mar 23 19:02:25 GMT 2019


Le 22/03/2019 à 14:22, David Prévot a écrit :
> Please unblock package twig, it backports a security fix (Sandbox
> Information Disclosure) from the latest (2.7) version.

Looks like this issue is known as CVE-2019-9942.

Unfortunately, I’ve just been made aware that a source package named
twig used to be in Debian over ten years ago, and that a 2.6.2-2 version
was uploaded eighteen years ago, hence this package violates the recent
(since 4.1.4) Policy 3.2.2 item.

I just uploaded a renamed php-twig source package to experimental, I’ll
request another unblock once it has been processed from NEW and I’ve
uploaded a 2.6.2-3 version to unstable just changing the source package
name (unless you disagree this has to be fixed for buster).



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20190323/abe2da90/attachment.sig>

More information about the pkg-php-pear mailing list