Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency twig/twig to v2.15.3 [SECURITY] #581

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 23, 2022

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
twig/twig (source) 2.11.2 -> 2.15.3 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2022-23614

Description

When in a sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions.

Resolution

We now disallow calling non Closure in the sort filter like we already did for some other filters.

Credits

We would like to thank Marlon Starkloff for reporting the issue and Fabien Potencier for fixing the issue.

CVE-2022-39261

Description

When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).

Resolution

We fixed validation for such template names.

Even if the 1.x branch is not maintained anymore, a new version has been released.

Credits

We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.


Release Notes

twigphp/Twig (twig/twig)

v2.15.3

Compare Source

v2.15.2

Compare Source

v2.15.1

Compare Source

v2.15.0

Compare Source

v2.14.13

Compare Source

v2.14.12

Compare Source

v2.14.11

Compare Source

v2.14.10

Compare Source

v2.14.9

Compare Source

v2.14.8

Compare Source

v2.14.7

Compare Source

v2.14.6

Compare Source

v2.14.5

Compare Source

v2.14.4

Compare Source

v2.14.3

Compare Source

v2.14.2

Compare Source

v2.14.1

Compare Source

v2.14.0

Compare Source

v2.13.1

Compare Source

v2.13.0

Compare Source

v2.12.5

Compare Source

v2.12.4

Compare Source

v2.12.3

Compare Source

v2.12.2

Compare Source

v2.12.1

Compare Source

v2.12.0

Compare Source

v2.11.3

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 12 times, most recently from 4b8e691 to 21c3119 Compare May 5, 2022 21:16
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 6 times, most recently from b5a3800 to 44cc81b Compare May 7, 2022 22:20
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 2 times, most recently from 3fa470e to 96d6991 Compare May 17, 2022 06:18
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch from 96d6991 to 338148d Compare June 2, 2022 12:22
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 2 times, most recently from 5edc740 to 3cd718f Compare June 21, 2022 20:02
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 5 times, most recently from 8a998f3 to 77ef4b1 Compare August 18, 2022 19:11
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 2 times, most recently from 90844bc to b13ba77 Compare August 29, 2022 20:49
@renovate renovate bot restored the renovate/packagist-twig/twig-vulnerability branch January 7, 2023 05:13
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 5 times, most recently from ab70359 to 8672220 Compare June 2, 2023 19:37
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 10 times, most recently from bb6f546 to 2b266d9 Compare June 28, 2023 19:50
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 3 times, most recently from e1057b0 to 38958d9 Compare June 30, 2023 13:54
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 4 times, most recently from 07ef6c9 to 7d502ff Compare July 20, 2023 14:26
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch 3 times, most recently from 7dcc7a3 to 2910f16 Compare July 26, 2023 20:26
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch from 2910f16 to 819a573 Compare July 30, 2023 05:38
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch from 819a573 to d787d07 Compare August 11, 2023 21:36
@renovate renovate bot force-pushed the renovate/packagist-twig/twig-vulnerability branch from d787d07 to 100d275 Compare August 18, 2023 04:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants