Debian alert DSA-6311-1 (php-twig) [LWN.net]


From:
               Moritz Muehlenhoff <jmm@debian.org>
To:
               debian-security-announce@lists.debian.org
Subject:
               [SECURITY] [DSA 6311-1] php-twig security update
Date:
               Fri, 29 May 2026 18:34:20 +0000
Message-ID:
               <ahncLHeBKDUfnOBL@seger.debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6311-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 29, 2026                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php-twig
CVE ID         : CVE-2026-24425 CVE-2026-46627 CVE-2026-46628 CVE-2026-46629 
                 CVE-2026-46633 CVE-2026-46634 CVE-2026-46635 CVE-2026-46636 
                 CVE-2026-46637 CVE-2026-46638 CVE-2026-46640 CVE-2026-47730 
                 CVE-2026-47732 CVE-2026-48805

Multiple security vulnerabilities were discovered in Twig, a template
engine for PHP, which could result in PHP code injection, sandbox bypass
or cross-site scripting.

For the stable distribution (trixie), these problems have been fixed in
version 3.27.0-0+deb13u1.

We recommend that you upgrade your php-twig packages.

For the detailed security status of php-twig please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-twig

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmoZ2OYACgkQEMKTtsN8
TjZZpQ//RL6C/Uyft9psxLNzRzMZlZR1UmEl/gbuzUWWWqIiiMz0SJv1CXe1fKkB
G3hOv56uP/bTQBxQRLOPnci5n02jIHocNFaWtyAEYKGdbxI/uFDUUHV7og90NTnZ
FW9IPFrzujmrRs9hd3yIMGCEUfze+5t51ehCY01a65cYV9mEEMaiuewFuD2+8jNF
CWdbbReid5cmKL9Rb7pikvX1tvVbRX70AVfTF3ajkcoBLcJ+zCl8V0d0zE2ROt0Y
blxfNlxs660RmiZrADxq8wwoDYlH2Q9Y+uNZE+pVdsvDFXT6f8W+4mKdTaWGnsz5
Cqrvl3M5eTkBQeXWUbc7qabYp93zbsBSTig3bF0c40BFMh2VdWZyVZUKm6pGF1iw
oeM3+zEPOAGpbzVd0LAtRlGsqj3sWcTl+NqW01/Crbs94SZizib7Bd0qPeAdfogE
kJNThXwkYqcBweaZ3AEWgIMnisQiO4ASwrkDtDu6ka9yKSklbNqcHKUv6cUa4B0K
xN0d7OYtjB5dL7DmBglN5Az2jC6nTFCtxzsuql8qWLj3gwQLuVLkbJjUjTJ/JqZ1
H/toW5w5KzotIqZ9XJJGup7qK3soU4JzgtqIaOKxLrw/nP2O8uHiVMg19BjoHhXN
hQvNOFR9Iwgz1Wp3Qoflh7mEtFVm0THrZS6J9RrFxUORlQSunFs=
=zhXV
-----END PGP SIGNATURE-----
From:		Moritz Muehlenhoff <jmm@debian.org>
To:		debian-security-announce@lists.debian.org
Subject:		[SECURITY] [DSA 6311-1] php-twig security update
Date:		Fri, 29 May 2026 18:34:20 +0000
Message-ID:		<ahncLHeBKDUfnOBL@seger.debian.org>