drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Ausführen beliebiger Kommandos in php-twig
Name: |
Ausführen beliebiger Kommandos in php-twig |
|
ID: |
FEDORA-2015-13463 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 23 |
|
Datum: |
Do, 27. August 2015, 23:16 |
|
Referenzen: |
https://bugzilla.redhat.com/show_bug.cgi?id=1255796 |
|
Applikationen: |
php-twig |
|
Originalnachricht |
Name : php-twig Product : Fedora 23 Version : 1.20.0 Release : 1.fc23 URL : http://twig.sensiolabs.org Summary : The flexible, fast, and secure template engine for PHP Description : The flexible, fast, and secure template engine for PHP.
* Fast: Twig compiles templates down to plain optimized PHP code. The overhead compared to regular PHP code was reduced to the very minimum.
* Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a template language for applications where users may modify the template design.
* Flexible: Twig is powered by a flexible lexer and parser. This allows the developer to define its own custom tags and filters, and create its own DSL.
------------------------------------------------------------------------------- - Update Information:
## 1.20.0 (2015-08-12) * forbid access to the Twig environment from templates and internal parts of Twig_Template * fixed limited RCEs when in sandbox mode * deprecated Twig_Template::getEnvironment() * deprecated the _self variable for usage outside of the from and import tags * added Twig_BaseNodeVisitor to ease the compatibility of node visitors between 1.x and 2.x ## 1.19.0 (2015-07-31) * fixed wrong error message when including an undefined template in a child template * added support for variadic filters, functions, and tests * added support for extra positional arguments in macros * added ignore_missing flag to the source function * fixed batch filter with zero items * deprecated Twig_Environment::clearTemplateCache() * fixed sandbox disabling when using the include function ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #1249259 - php-twig-v1.20.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1249259 [ 2 ] Bug #1255796 - php-twig: Remote code execution via Twig templates [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1255796 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update php-twig' at the command line. For more information, refer to "Managing Software with yum", available at https://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|