'Re: [oss-security] CVE Request: twig remote code execution'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: twig remote code execution
From:       Alessandro Ghedini <alessandro () ghedini ! me>
Date:       2015-09-30 10:51:00
Message-ID: 20150930105059.GB8507 () kronk ! local
[Download RAW message or body]


On Fri, Aug 21, 2015 at 02:39:57PM +0200, Alessandro Ghedini wrote:
> Hello,
> 
> the symphony project released a security advisory for the Twig PHP library:
> http://symfony.com/blog/security-release-twig-1-20-0
> 
> The linked GitHub pull requests provides the fixes:
> https://github.com/twigphp/Twig/pull/1759
> 
> AFAICT there are least two issues: a remote code execution fixed by the "fixed
> sandbox security issue" patch, and at least another issue regarding access to
> "reserved macro names".
> 
> The RCE deserves a CVE IMO, but I'm not sure about the other one (or if it is
> indeed only one issue).
> 
> Can CVE(s) be assigned for the above issue(s) as you deem appropriate?
> 
> Thanks

Ping?

Cheers

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic