-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 May 2026 23:21:18 +0200
Source: php-twig
Architecture: source
Version: 3.27.0-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Changes:
php-twig (3.27.0-0+deb13u1) trixie-security; urgency=medium
.
[ Fabien Potencier ]
* Fix sandbox bypass: propagate sandbox state to checkArrow for source-policy
sandboxing [CVE-2026-24425]
* Fix sandbox `__toString` bypasses [CVE-2026-47732]
* Pre-escape HTML input on the `spaceless` filter [CVE-2026-46628]
* Document template_from_string caveats when used in a sandboxed env
[CVE-2026-46634]
* Document that the sandbox doesn't protect against resource exhaustion
[CVE-2026-46627]
* Fix sandbox bypass in deprecated internal wrappers [CVE-2026-48805]
* Fix sandbox bypass in the "column" filter under SourcePolicyInterface
[CVE-2026-48808]
* Fix sandbox __toString bypass via Traversable in join/replace filters
* Fix sandbox `__toString` bypass via the `in` and `not in` operators
[CVE-2026-48807]
* Fix sandbox __toString policy bypass via dynamic mapping keys
[CVE-2026-48806]
* Fix sandbox filter/tag/function allow-list bypass when sandbox state
changes between renders [CVE-2026-46636]
* Update CHANGELOG
* Prepare the 3.27.0 release
.
[ Alexandre Daubois ]
* Fix sandbox bypass in object destructuring assignment [CVE-2026-46639]
* Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter`
[CVE-2026-46629]
* Fix sandbox bypass: PHP code injection via {% use %} template name
[CVE-2026-46633]
* Fix sandbox bypass in the `{% sandbox %}` tag when including a preloaded
template [CVE-2026-46638]
* Fix sandbox bypass: PHP code injection via _self / import macro reference
[CVE-2026-46640]
* Fix sandbox bypass in the "column" filter [CVE-2026-46635]
.
[ Nicolas Grekas ]
* Fix XSS by adjusting `is_safe` annotation on HTML-emitting filters
[CVE-2026-46637]
* Pre-escape HTML input on `inline_css` and `inky_to_html` filters
* [Profiler] Escape template and profile names in HtmlDumper [CVE-2026-47730]
.
[ David Prévot ]
* Track debian/trixie branch
* Refresh patches
* Make phpab tolerant
* Update build for related path
Checksums-Sha1:
25b63c3411723dc568a49bb392e28326d4c338ca 2943 php-twig_3.27.0-0+deb13u1.dsc
65958235ae13b3d5df88b4597cb8f9275c2b86ec 295220 php-twig_3.27.0.orig.tar.xz
37f79dc056b2f7aae26357aa7bc817adb9fcdc2a 32464 php-twig_3.27.0-0+deb13u1.debian.tar.xz
a92ead933b9d49468d2039e9cabe5a3f745f8df2 13673 php-twig_3.27.0-0+deb13u1_amd64.buildinfo
Checksums-Sha256:
6110222dcccd1d6acdae6fa40cbbbcff43c9f8a59b70507eaceed6c0d9a461d6 2943 php-twig_3.27.0-0+deb13u1.dsc
34c8a7e6570787bb9f3502d991832c42d5066f008132c2cad09b5d793c775705 295220 php-twig_3.27.0.orig.tar.xz
b4e368de75bc3214f9914a13b4d332f1797a6eb2519b0af2ce64bfdd22df2e6a 32464 php-twig_3.27.0-0+deb13u1.debian.tar.xz
b753ede33b55b6cc7b860862cbf4ce907b392b69bfb422c6ee8beb2ce6734a14 13673 php-twig_3.27.0-0+deb13u1_amd64.buildinfo
Files:
76c228e04c68421a4ffbbcaeaf3d033c 2943 php optional php-twig_3.27.0-0+deb13u1.dsc
a0fd43ce95ac7a80c70bf85b89ce6859 295220 php optional php-twig_3.27.0.orig.tar.xz
b8ef6d9926497bbf2b91a1e0b701612e 32464 php optional php-twig_3.27.0-0+deb13u1.debian.tar.xz
e3bf891952e791f6c8ea43506c5d4d8b 13673 php optional php-twig_3.27.0-0+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoYscsSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08cm4H+gL5mOa9NWjIeHzM8YIU/UImhXbwftXU
w0Y9Mi/Z8XJvvuz0yha7m6eErBkZardHc/75vBkE/jkrz1yP/A4GvJSYZ36jkukc
QYgriIz98E//TZ3NOWBG49EFfP8ACKgW8MU/+vzlwZXDhquh49Fiq5MdqUG975Pp
hh8xt5rpezSRqINtmh3H/yc7IX29oiSa7AMa9AfYWLOO/HJBHZ99awgnlu9YodZO
RzTFVPpSXbZ7HlWxZ9b+bGrpm0o2bZpbfOmlimjS51aV+cRIOeMIT/ID7cVtbci4
ROdDsfmca7yKhutp87SUBSS3XMEZWKoN2eNTk+a0GTmmrRGexJUkV1c=
=3Isc
-----END PGP SIGNATURE-----
