* bsc#1234808 * bsc#1234809 * bsc#1238879 Cross-References: . # Security update for python-Jinja2 Announcement ID: SUSE-SU-2025:20254-1 Release Date: 2025-03-28T13:55:44Z Rating: important References: * bsc#1234808 * bsc#1234809 * bsc#1238879 Cross-References: * CVE-2024-56201 * CVE-2024-56326 * CVE-2025-27516 CVSS scores: * CVE-2024-56201 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2024-56201 ( NVD ): 5.4 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2024-56201 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-56326 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2024-56326 ( NVD ): 5.4 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2024-56326 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2025-27516 ( SUSE ): 5.4 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2025-27516 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H * CVE-2025-27516 ( NVD ): 5.4 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Affected Products: * SUSE Linux Micro 6.1 An update that solves three vulnerabilities can now be installed. ## Description: This update for python-Jinja2 fixes the following issues: * CVE-2025-27516: Fixed Jinja sandbox breakout through attr filter selecting format method (bsc#1238879) * CVE-2024-56201: Fixed sandbox breakout through malicious content and filename of a template (bsc#1234808) * CVE-2024-56326:Fixed sandbox breakout through indirect reference to format method (bsc#1234809) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.1 zypper in -t patch SUSE-SLE-Micro-6.1-52=1 ## Package List: * SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64) * python311-Jinja2-3.1.4-slfo.1.1_2.1 ## References: * https://www.suse.com/security/cve/CVE-2024-56201.html * https://www.suse.com/security/cve/CVE-2024-56326.html * https://www.suse.com/security/cve/CVE-2025-27516.html * https://bugzilla.suse.com/show_bug.cgi?id=1234808 * https://bugzilla.suse.com/show_bug.cgi?id=1234809 * https://bugzilla.suse.com/show_bug.cgi?id=1238879 . Crucial update for python-Jinja2 in SUSE Linux Micro 6.1 addresses various sandbox vulnerabilities and bolsters protective protocols.. SUSE Linux Micro, python-Jinja2, security patch, sandbox issues. . LinuxSecurity.com Team
Update to 3.1.5 Security fix for CVE-2024-56201. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-7b6e208ef2 2025-01-12 01:37:12.378777+00:00 -------------------------------------------------------------------------------- Name : python-jinja2 Product : Fedora 41 Version : 3.1.5 Release : 1.fc41 URL : https://palletsprojects.com/projects/jinja/ Summary : General purpose template engine Description : Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. If you have any exposure to other text-based template languages, such as Smarty or Django, you should feel right at home with Jinja2. It's both designer and developer friendly by sticking to Python's principles and adding functionality useful for templating environments. -------------------------------------------------------------------------------- Update Information: Update to 3.1.5 Security fix for CVE-2024-56201 -------------------------------------------------------------------------------- ChangeLog: * Wed Jan 8 2025 Miro HronÄok - 3.1.5-1 - Update to 3.1.5 - Security fix for CVE-2024-56201 - Fixes: rhzb#2333688 - Fixes: rhzb#2336377 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2333854 - CVE-2024-56201 jinja2: Jinja has a sandbox breakout through malicious filenames https://bugzilla.redhat.com/show_bug.cgi?id=2333854 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-7b6e208ef2' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys usedby the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- . Patch released for python-jinja2 on Fedora 41 targeting a sandbox escape vulnerability. Upgrade to version 3.1.5 is now accessible.. Fedora Updates, python-jinja2 security, template engine fix, sandbox breakout, security advisory. . LinuxSecurity.com Team
Fabien Potencier discovered that under some conditions the sandbox mechanism of Twig, a template engine for PHP, could by bypassed. For the stable distribution (bookworm), this problem has been fixed in . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5771-1
It was discovered that insufficient restriction of unix daemon sockets in the GNU Guix functional package manager could result in sandbox bypass. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5669-1
Marlon Starkloff discovered that twig, a template engine for PHP, did not correctly enforce sandboxing. This would allow a malicious user to execute arbitrary code. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-5246-1
An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash (CVE-2022-26381). When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification (CVE-2022-26383). . MGASA-2022-0097 - Updated thunderbird packages fix security vulnerabilities Publication date: 11 Mar 2022 URL: https://advisories.mageia.org/MGASA-2022-0097.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-26381, CVE-2022-26383, CVE-2022-26384, CVE-2022-26386, CVE-2022-26387 An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash (CVE-2022-26381). When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification (CVE-2022-26383). If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox (CVE-2022-26384). Previously Thunderbird for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory (CVE-2022-26386). When installing an add-on, Thunderbird verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Thunderbird would not have noticed (CVE-2022-26387). References: - https://bugs.mageia.org/show_bug.cgi?id=30144 - https://www.mozilla.org/en-US/security/advisories/mfsa2022-12/ - https://www.thunderbird.net/en-US/thunderbird/91.7.0/releasenotes/ - https://www.cve.org/CVERecord?id=CVE-2022-26381 - https://www.cve.org/CVERecord?id=CVE-2022-26383 - https://www.cve.org/CVERecord?id=CVE-2022-26384 -https://www.cve.org/CVERecord?id=CVE-2022-26386 - https://www.cve.org/CVERecord?id=CVE-2022-26387 SRPMS: - 8/core/thunderbird-91.7.0-1.mga8 - 8/core/thunderbird-l10n-91.7.0-1.mga8 . Revised Thunderbird distributions tackle security concerns encompassing use-after-free and sandboxing weaknesses within Mageia.. Thunderbird Update, Mageia Security, Use-After-Free Fix. . LinuxSecurity.com Team
**Version 3.3.8** (2022-02-04) * Fix a security issue when in a sandbox: the `sort` filter must require a Closure for the `arrow` parameter * Fix deprecation notice on `round` * Fix call to deprecated `convertToHtml` method. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-7d871d7583 2022-02-13 01:14:18.017042 --------------------------------------------------------------------------------Name : php-twig3 Product : Fedora 35 Version : 3.3.8 Release : 1.fc35 URL : https://twig.symfony.com Summary : The flexible, fast, and secure template engine for PHP Description : The flexible, fast, and secure template engine for PHP. * Fast: Twig compiles templates down to plain optimized PHP code. The overhead compared to regular PHP code was reduced to the very minimum. * Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a template language for applications where users may modify the template design. * Flexible: Twig is powered by a flexible lexer and parser. This allows the developer to define its own custom tags and filters, and create its own DSL. Autoloader: /usr/share/php/Twig3/autoload.php --------------------------------------------------------------------------------Update Information: **Version 3.3.8** (2022-02-04) * Fix a security issue when in a sandbox: the `sort` filter must require a Closure for the `arrow` parameter * Fix deprecation notice on `round` * Fix call to deprecated `convertToHtml` method --------------------------------------------------------------------------------ChangeLog: * Fri Feb 4 2022 Remi Collet - 3.3.8-1 - update to 3.3.8 --------------------------------------------------------------------------------References: [ 1 ] Bug #2051361 - CVE-2022-23614 twig: Disallow non closures in `sort` filter when the sandbox mode is enabled https://bugzilla.redhat.com/show_bug.cgi?id=2051361 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-7d871d7583' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
**Version 2.14.11** (2022-02-04) * Fix a security issue when in a sandbox: the `sort` filter must require a Closure for the `arrow` parameter * Fix deprecation notice on `round` * Fix call to deprecated `convertToHtml` method. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-58abb323f0 2022-02-13 01:14:18.017032 --------------------------------------------------------------------------------Name : php-twig2 Product : Fedora 35 Version : 2.14.11 Release : 1.fc35 URL : https://twig.symfony.com Summary : The flexible, fast, and secure template engine for PHP Description : The flexible, fast, and secure template engine for PHP. * Fast: Twig compiles templates down to plain optimized PHP code. The overhead compared to regular PHP code was reduced to the very minimum. * Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a template language for applications where users may modify the template design. * Flexible: Twig is powered by a flexible lexer and parser. This allows the developer to define its own custom tags and filters, and create its own DSL. Autoloader: /usr/share/php/Twig2/autoload.php --------------------------------------------------------------------------------Update Information: **Version 2.14.11** (2022-02-04) * Fix a security issue when in a sandbox: the `sort` filter must require a Closure for the `arrow` parameter * Fix deprecation notice on `round` * Fix call to deprecated `convertToHtml` method --------------------------------------------------------------------------------ChangeLog: * Fri Feb 4 2022 Remi Collet - 2.14.11-1 - update to 2.14.11 --------------------------------------------------------------------------------References: [ 1 ] Bug #2051361 - CVE-2022-23614 twig: Disallow non closures in `sort` filter when the sandbox mode is enabled https://bugzilla.redhat.com/show_bug.cgi?id=2051361 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-58abb323f0' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Get the latest Linux and open source security news straight to your inbox.