Date: Wed, 30 Sep 2015 12:51:00 +0200 From: Alessandro Ghedini <alessandro@...dini.me> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE Request: twig remote code execution On Fri, Aug 21, 2015 at 02:39:57PM +0200, Alessandro Ghedini wrote: > Hello, > > the symphony project released a security advisory for the Twig PHP library: > http://symfony.com/blog/security-release-twig-1-20-0 > > The linked GitHub pull requests provides the fixes: > https://github.com/twigphp/Twig/pull/1759 > > AFAICT there are least two issues: a remote code execution fixed by the "fixed > sandbox security issue" patch, and at least another issue regarding access to > "reserved macro names". > > The RCE deserves a CVE IMO, but I'm not sure about the other one (or if it is > indeed only one issue). > > Can CVE(s) be assigned for the above issue(s) as you deem appropriate? > > Thanks Ping? Cheers Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ