[pkg-php-pear] php-twig_3.26.0-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 May 2026 07:30:58 +0200
Source: php-twig
Architecture: source
Version: 3.26.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear at lists.alioth.debian.org>
Changed-By: David Prévot <taffit at debian.org>
Changes:
 php-twig (3.26.0-1) unstable; urgency=medium
 .
   [ Fabien Potencier ]
   * Fix sandbox bypass: propagate sandbox state to checkArrow for source-policy
     sandboxing [CVE-2026-24425]
   * Fix sandbox `__toString` bypasses [CVE-2026-47732]
   * Pre-escape HTML input on the `spaceless` filter [CVE-2026-46628]
   * Document template_from_string caveats when used in a sandboxed env
     [CVE-2026-46634]
   * Document that the sandbox doesn't protect against resource exhaustion
     [CVE-2026-46627]
   * Update CHANGELOG
   * Prepare the 3.26.0 release
 .
   [ Alexandre Daubois ]
   * Fix sandbox bypass in object destructuring assignment [CVE-2026-46639]
   * Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter`
     [CVE-2026-46629]
   * Fix sandbox bypass: PHP code injection via {% use %} template name
     [CVE-2026-46633]
   * Fix sandbox bypass in the `{% sandbox %}` tag when including a preloaded
     template [CVE-2026-46638]
   * Fix sandbox bypass: PHP code injection via _self / import macro reference
     [CVE-2026-46640]
   * Fix sandbox bypass in the "column" filter [CVE-2026-46635]
 .
   [ Nicolas Grekas ]
   * Fix XSS by adjusting `is_safe` annotation on HTML-emitting filters
    [CVE-2026-46637]
   * Pre-escape HTML input on `inline_css` and `inky_to_html` filters
   * [Profiler] Escape template and profile names in HtmlDumper [CVE-2026-47730]
 .
   [ David Prévot ]
   * Use full version with RequiresPhp
   * Update standards version to 4.7.4
Checksums-Sha1:
 c43ef2d1daecbb6eb43a6ae578fd12eb05376ffb 2949 php-twig_3.26.0-1.dsc
 6cd8f89400cde9ed7cc3f81117268ae34fada278 288376 php-twig_3.26.0.orig.tar.xz
 99a3073e73b599f473e43b41953e1cebcced6000 33112 php-twig_3.26.0-1.debian.tar.xz
 3aac2fd249b828631b2ca9068978fdfa34b91318 12839 php-twig_3.26.0-1_amd64.buildinfo
Checksums-Sha256:
 6e77e1959f3096149d1175205024da9fefa8a1246779d8f564cc895ffb7c00b6 2949 php-twig_3.26.0-1.dsc
 27ebc728697a9dced0566d9a48241925f162c363ae53b0403834501eeab89022 288376 php-twig_3.26.0.orig.tar.xz
 33d0ec9844f9fb881c73988e0d5e36dc119a5fcf4aba728f0c5df8ed47de2ad6 33112 php-twig_3.26.0-1.debian.tar.xz
 b6d166110c3610ec6dd95ff84967f2fdc6a9f851885ef7e15c83f6c0eb9cb047 12839 php-twig_3.26.0-1_amd64.buildinfo
Files:
 413136812b34a2487eb8360297f5f99e 2949 php optional php-twig_3.26.0-1.dsc
 7abc94787ed54cc96c3f91ece4b7a473 288376 php optional php-twig_3.26.0.orig.tar.xz
 ab9c0c21f2e7c52fc06dcd0a08f42343 33112 php optional php-twig_3.26.0-1.debian.tar.xz
 2f9f99b4805c8eb896d0b4554f1a39c3 12839 php optional php-twig_3.26.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoO14MSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r082bkH/RTmTdtWbOXQQ5LlrTfBGwYRAs68DmAW
4zTm8PbbB7fwx/j3nbSRnRSOaZ+eMwnVV6CyXuvL7ryqNq4N2FtYV71djD4idwVE
eSz0XNYYKIIQNiGoX4AiwrIWmr6HSa2lzTJVYVGfx9Y5WZnmZ2TH3dhWmnLHLcwV
MNshe7hYAtmIqxNll2A9lWkhKIbBWZsXVXSMB80qIs77QsR1jLK2rU1dvbqaY15g
hghYSmfOOes/0H1cfICX84h1CuaRjWxETI1MmbL478bdr9BhTonPERDLUAkGD2Up
nr85dJn/6hCWYnpbFZQue829FL6eAqJmvXlU2I0bTJmZLJDFC/mGAKU=
=gZxJ
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20260521/607138f2/attachment.sig>