From ${URL} : A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place. Reference: https://symfony.com/blog/twig-sandbox-information-disclosure Upstream commit: https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b71d712064b76fd4b04d184948528528479b242 commit 1b71d712064b76fd4b04d184948528528479b242 Author: Dirkjan Ochtman <djc@gentoo.org> AuthorDate: 2019-05-06 19:46:15 +0000 Commit: Dirkjan Ochtman <djc@gentoo.org> CommitDate: 2019-05-06 19:46:15 +0000 dev-php/twig: version bump to 1.40.1 (fixes CVE-2019-9942) Closes: https://bugs.gentoo.org/681862 Signed-off-by: Dirkjan Ochtman <djc@gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.11 dev-php/twig/Manifest | 1 + dev-php/twig/files/1.40.1-autoloader-path.patch | 16 +++++ dev-php/twig/twig-1.40.1.ebuild | 87 +++++++++++++++++++++++++ 3 files changed, 104 insertions(+)
Sorry that took a bit long -- it's been very busy.
Please drop vulnerable.
Done.
(In reply to Dirkjan Ochtman from comment #4) > Done. Thanks!