Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

Fedora 21: FEDORA-2015-13423 Moderate: Php-Twig Remote Code Execution

fedora
Calendar Grey September 6, 2015
Scroller Fedora Esm H88
A patch for php-twig in Fedora 21 addresses security flaws and enhances template management. Discover additional details here.
## 1.20.0 (2015-08-12) * forbid access to the Twig environment from templates and internal parts of Twig_Template * fixed limited RCEs when in sandbox mode * deprecated Twig_Templa...

Summary

The flexible, fast, and secure template engine for PHP.

* Fast: Twig compiles templates down to plain optimized PHP code. The

overhead compared to regular PHP code was reduced to the very minimum.

* Secure: Twig has a sandbox mode to evaluate untrusted template code. This

allows Twig to be used as a template language for applications where users may modify the template design.

* Flexible: Twig is powered by a flexible lexer and parser. This allows the

developer to define its own custom tags and filters, and create its own

DSL.

Update Information:

## 1.20.0 (2015-08-12) * forbid access to the Twig environment from templates and internal parts of Twig_Template * fixed limited RCEs when in sandbox mode * deprecated Twig_Template::getEnvironment() * deprecated the _self variable for usage outside of the from and import tags * added Twig_BaseNodeVisitor to ease the compatibility of node visitors between 1.x and 2.x ## 1.19.0 (2015-07-31) * fixed wrong error message when including an undefined template in a child template * added support for variadic filters, functions, and tests * added support for extra positional arguments in macros * added ignore_missing flag to the source function * fixed batch filter with zero items * deprecated Twig_Environment::clearTemplateCache() * fixed sandbox disabling when using the include function

Change Log

References


[ 1 ] Bug #1255795 - php-twig: Remote code execution via Twig templates https://bugzilla.redhat.com/show_bug.cgi?id=1255795

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update php-twig' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
important
Lowest
Low
Medium
High
Critical

Name: php-twig
Product: Fedora 21
Version: 1.20.0
Release: 1.fc21
URL: Summary : The flexible, fast, and secure template engine for PHP

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.