Debian Patches
Status for php-twig/3.5.1-1+deb12u3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-Match-current-ICU-output.patch | Match current ICU output | David Prévot <david@tilapin.org> | no | debian | 2022-05-26 | |
| 0002-Fix-a-security-issue-when-an-included-sandboxed-temp.patch | Fix a security issue when an included sandboxed template has been loaded before without the sandbox context | Fabien Potencier <fabien@potencier.org> | yes | debian upstream | backport, https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de | 2024-09-09 |
| 0003-Fix-sandbox-handling-for-__toString.patch | Fix sandbox handling for __toString() | Fabien Potencier <fabien@potencier.org> | yes | debian upstream | backport, https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc | 2024-10-25 |
| 0004-security-cve-2026-46628-Pre-escape-HTML-input-on-the.patch | security #cve-2026-46628 Pre-escape HTML input on the `spaceless` filter (fabpot) This PR was merged into the twig-3.x branch. |
Fabien Potencier <fabien@potencier.org> | yes | debian upstream | backport, https://github.com/twigphp/twig/commit/7923de168b908305489bc07d859f2cb93b0f0ade | 2026-05-20 |
| 0005-security-cve-2026-46629-Fix-unbounded-memoisation-of.patch | security #cve-2026-46629 Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter` (alexandre-daubois) This PR was merged into the twig-3.x branch. |
Fabien Potencier <fabien@potencier.org> | yes | debian upstream | upstream, https://github.com/twigphp/twig/commit/afe54db2e5a6586a132100b58d8fd05b5f484eed | 2026-05-19 |
| 0006-security-cve-2026-46633-Fix-sandbox-bypass-PHP-code-.patch | security #cve-2026-46633 Fix sandbox bypass: PHP code injection via {% use %} template name (alexandre-daubois, fabpot) This PR was merged into the twig-3.x branch. |
Fabien Potencier <fabien@potencier.org> | yes | debian upstream | backport, https://github.com/twigphp/twig/commit/ea7879a67f5b2d94514220cff4658969e6f69855 | 2026-05-19 |
| 0007-security-cve-2026-46637-Fix-XSS-and-pre-escape-input.patch | security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (nicolas-grekas) This PR was squashed before being merged into the twig-3.x branch. |
Fabien Potencier <fabien@potencier.org> | yes | debian upstream | backport, https://github.com/twigphp/twig/commit/b675555ea2f7a0e2438d1086923d06d98930714b | 2026-05-19 |
| 0008-security-cve-2026-47730-Profiler-Escape-template-and.patch | security #cve-2026-47730 [Profiler] Escape template and profile names in `HtmlDumper` (nicolas-grekas) This PR was merged into the twig-3.x branch. |
Fabien Potencier <fabien@potencier.org> | yes | debian upstream | backport, https://github.com/twigphp/twig/commit/3464990a5147015d1a5d873a00048b2ae2b01279 | 2026-05-20 |
| 0009-Update-expected-output-with-php-symfony-intl-latest-.patch | Update expected output with php-symfony-intl latest update | David Prévot <taffit@debian.org> | no | 2026-06-02 |
All known versions for source package 'php-twig'
- 4.0.0~alpha1-1 (experimental)
- 3.27.1-1 (sid, forky)
- 3.27.0-0+deb13u1 (trixie-security, trixie)
- 3.5.1-1+deb12u3 (bookworm, bookworm-security)
