Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 21 Aug 2015 14:39:57 +0200
From: Alessandro Ghedini <alessandro@...dini.me>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Request: twig remote code execution

Hello,

the symphony project released a security advisory for the Twig PHP library:
http://symfony.com/blog/security-release-twig-1-20-0

The linked GitHub pull requests provides the fixes:
https://github.com/twigphp/Twig/pull/1759

AFAICT there are least two issues: a remote code execution fixed by the "fixed
sandbox security issue" patch, and at least another issue regarding access to
"reserved macro names".

The RCE deserves a CVE IMO, but I'm not sure about the other one (or if it is
indeed only one issue).

Can CVE(s) be assigned for the above issue(s) as you deem appropriate?

Thanks

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ