
oss-sec mailing list archives
Re: CVE Request: twig remote code execution
From: Alessandro Ghedini <alessandro () ghedini me>
Date: Wed, 30 Sep 2015 12:51:00 +0200
On Fri, Aug 21, 2015 at 02:39:57PM +0200, Alessandro Ghedini wrote:
Hello, the symphony project released a security advisory for the Twig PHP library: http://symfony.com/blog/security-release-twig-1-20-0 The linked GitHub pull requests provides the fixes: https://github.com/twigphp/Twig/pull/1759 AFAICT there are least two issues: a remote code execution fixed by the "fixed sandbox security issue" patch, and at least another issue regarding access to "reserved macro names". The RCE deserves a CVE IMO, but I'm not sure about the other one (or if it is indeed only one issue). Can CVE(s) be assigned for the above issue(s) as you deem appropriate? Thanks
Ping? Cheers
Attachment:
signature.asc
Description:
Current thread:
- CVE Request: twig remote code execution Alessandro Ghedini (Aug 21)
- Re: CVE Request: twig remote code execution Alessandro Ghedini (Sep 30)