Debian Patches

Status for php-twig/3.5.1-1+deb12u3

Patch Description Author Forwarded Bugs Origin Last update
0001-Match-current-ICU-output.patch Match current ICU output David Prévot <david@tilapin.org> no debian 2022-05-26
0002-Fix-a-security-issue-when-an-included-sandboxed-temp.patch Fix a security issue when an included sandboxed template has been loaded before without the sandbox context Fabien Potencier <fabien@potencier.org> yes debian upstream backport, https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de 2024-09-09
0003-Fix-sandbox-handling-for-__toString.patch Fix sandbox handling for __toString() Fabien Potencier <fabien@potencier.org> yes debian upstream backport, https://github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc 2024-10-25
0004-security-cve-2026-46628-Pre-escape-HTML-input-on-the.patch security #cve-2026-46628 Pre-escape HTML input on the `spaceless` filter (fabpot)

This PR was merged into the twig-3.x branch.
Fabien Potencier <fabien@potencier.org> yes debian upstream backport, https://github.com/twigphp/twig/commit/7923de168b908305489bc07d859f2cb93b0f0ade 2026-05-20
0005-security-cve-2026-46629-Fix-unbounded-memoisation-of.patch security #cve-2026-46629 Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter` (alexandre-daubois)

This PR was merged into the twig-3.x branch.
Fabien Potencier <fabien@potencier.org> yes debian upstream upstream, https://github.com/twigphp/twig/commit/afe54db2e5a6586a132100b58d8fd05b5f484eed 2026-05-19
0006-security-cve-2026-46633-Fix-sandbox-bypass-PHP-code-.patch security #cve-2026-46633 Fix sandbox bypass: PHP code injection via {% use %} template name (alexandre-daubois, fabpot)

This PR was merged into the twig-3.x branch.
Fabien Potencier <fabien@potencier.org> yes debian upstream backport, https://github.com/twigphp/twig/commit/ea7879a67f5b2d94514220cff4658969e6f69855 2026-05-19
0007-security-cve-2026-46637-Fix-XSS-and-pre-escape-input.patch security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (nicolas-grekas)

This PR was squashed before being merged into the twig-3.x branch.
Fabien Potencier <fabien@potencier.org> yes debian upstream backport, https://github.com/twigphp/twig/commit/b675555ea2f7a0e2438d1086923d06d98930714b 2026-05-19
0008-security-cve-2026-47730-Profiler-Escape-template-and.patch security #cve-2026-47730 [Profiler] Escape template and profile names in `HtmlDumper` (nicolas-grekas)

This PR was merged into the twig-3.x branch.
Fabien Potencier <fabien@potencier.org> yes debian upstream backport, https://github.com/twigphp/twig/commit/3464990a5147015d1a5d873a00048b2ae2b01279 2026-05-20
0009-Update-expected-output-with-php-symfony-intl-latest-.patch Update expected output with php-symfony-intl latest update David Prévot <taffit@debian.org> no 2026-06-02

All known versions for source package 'php-twig'

Links