-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 May 2026 23:21:18 +0200
Source: php-twig
Binary: php-twig php-twig-cache-extra php-twig-cssinliner-extra php-twig-doc php-twig-extra-bundle php-twig-html-extra php-twig-inky-extra php-twig-intl-extra php-twig-markdown-extra php-twig-string-extra
Architecture: all
Version: 3.27.0-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
 php-twig   - Flexible, fast, and secure template engine for PHP
 php-twig-cache-extra -
 php-twig-cssinliner-extra -
 php-twig-doc - Twig template engine documentation
 php-twig-extra-bundle -
 php-twig-html-extra -
 php-twig-inky-extra -
 php-twig-intl-extra -
 php-twig-markdown-extra -
 php-twig-string-extra -
Changes:
 php-twig (3.27.0-0+deb13u1) trixie-security; urgency=medium
 .
   [ Fabien Potencier ]
   * Fix sandbox bypass: propagate sandbox state to checkArrow for source-policy
     sandboxing [CVE-2026-24425]
   * Fix sandbox `__toString` bypasses [CVE-2026-47732]
   * Pre-escape HTML input on the `spaceless` filter [CVE-2026-46628]
   * Document template_from_string caveats when used in a sandboxed env
     [CVE-2026-46634]
   * Document that the sandbox doesn't protect against resource exhaustion
     [CVE-2026-46627]
   * Fix sandbox bypass in deprecated internal wrappers [CVE-2026-48805]
   * Fix sandbox bypass in the "column" filter under SourcePolicyInterface
     [CVE-2026-48808]
   * Fix sandbox __toString bypass via Traversable in join/replace filters
   * Fix sandbox `__toString` bypass via the `in` and `not in` operators
     [CVE-2026-48807]
   * Fix sandbox __toString policy bypass via dynamic mapping keys
     [CVE-2026-48806]
   * Fix sandbox filter/tag/function allow-list bypass when sandbox state
     changes between renders [CVE-2026-46636]
   * Update CHANGELOG
   * Prepare the 3.27.0 release
 .
   [ Alexandre Daubois ]
   * Fix sandbox bypass in object destructuring assignment [CVE-2026-46639]
   * Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter`
     [CVE-2026-46629]
   * Fix sandbox bypass: PHP code injection via {% use %} template name
     [CVE-2026-46633]
   * Fix sandbox bypass in the `{% sandbox %}` tag when including a preloaded
     template [CVE-2026-46638]
   * Fix sandbox bypass: PHP code injection via _self / import macro reference
     [CVE-2026-46640]
   * Fix sandbox bypass in the "column" filter [CVE-2026-46635]
 .
   [ Nicolas Grekas ]
   * Fix XSS by adjusting `is_safe` annotation on HTML-emitting filters
     [CVE-2026-46637]
   * Pre-escape HTML input on `inline_css` and `inky_to_html` filters
   * [Profiler] Escape template and profile names in HtmlDumper [CVE-2026-47730]
 .
   [ David Prévot ]
   * Track debian/trixie branch
   * Refresh patches
   * Make phpab tolerant
   * Update build for related path
Checksums-Sha1:
 034eea9b575ea52029c417e060d4e9f84b8bafb9 25508 php-twig-cache-extra_3.27.0-0+deb13u1_all.deb
 c6e0d1cda6d86855882c9672e6b89bbb5c407d0d 24692 php-twig-cssinliner-extra_3.27.0-0+deb13u1_all.deb
 7368d3589e2facaa6899a4b76f02a103ee60d069 208220 php-twig-doc_3.27.0-0+deb13u1_all.deb
 3056b1137c4536ae70fe425b1607a422706568d6 28368 php-twig-extra-bundle_3.27.0-0+deb13u1_all.deb
 9b23135018fbee0a5fa16cac1049f79a4be4b829 29072 php-twig-html-extra_3.27.0-0+deb13u1_all.deb
 fac918a3473b1a5036432c69bdcd293707a27295 24600 php-twig-inky-extra_3.27.0-0+deb13u1_all.deb
 f6b30d60511b45dcce08f3d58267bcaa01cdc589 27684 php-twig-intl-extra_3.27.0-0+deb13u1_all.deb
 c60a851c75df7aeb9277cf0014e15902e4d6bce7 25624 php-twig-markdown-extra_3.27.0-0+deb13u1_all.deb
 92b8de0ec85aa0785d260b7e49d0c3ba44e67575 24836 php-twig-string-extra_3.27.0-0+deb13u1_all.deb
 991f75ac26ecfada596dd85c5ee2c0a413c1f508 13748 php-twig_3.27.0-0+deb13u1_all-buildd.buildinfo
 d58ffb76bc979f73bec0572f0f379768461a3cf0 126308 php-twig_3.27.0-0+deb13u1_all.deb
Checksums-Sha256:
 e85795a9989bf19d72d32b653683f4718cbd58c0943939c0fc39d2259fe8c076 25508 php-twig-cache-extra_3.27.0-0+deb13u1_all.deb
 a99177ae03c8ced50a6a4b9879838fad17878afdc321d812f8bbd8162c07e665 24692 php-twig-cssinliner-extra_3.27.0-0+deb13u1_all.deb
 43561786c2eb4a3318ae3ae795d99f0dd989091b077d93d54494ca05e3b0a5b8 208220 php-twig-doc_3.27.0-0+deb13u1_all.deb
 61d384dfd5caa1de953c15432df300153b392b4a5f83d235c0197f683cfac684 28368 php-twig-extra-bundle_3.27.0-0+deb13u1_all.deb
 51acab5e03ed2560b0bfe1ca72d1414546cf3d90abd780a53c8625c42c5e9fad 29072 php-twig-html-extra_3.27.0-0+deb13u1_all.deb
 89c62363589c55e18a870aac3b35c5966f058e254fee15cdb095ec60a954745a 24600 php-twig-inky-extra_3.27.0-0+deb13u1_all.deb
 e60f1b4c33a4e4c3ace35ae5408ba7328445cc2fb15e5b30f64c54695d7ac468 27684 php-twig-intl-extra_3.27.0-0+deb13u1_all.deb
 4ef7c5701fc40efdf984dd9fd0a45e610dff96d900c1b3f24e9f40ccf2481a20 25624 php-twig-markdown-extra_3.27.0-0+deb13u1_all.deb
 6180dc960b41853b687681e233311e0aa92d780b384e484a082c3fb870487df4 24836 php-twig-string-extra_3.27.0-0+deb13u1_all.deb
 ccb70fc63040be266d39f1b65f0fdf3d5f6c7d620cb4d1f81795d88098e0f928 13748 php-twig_3.27.0-0+deb13u1_all-buildd.buildinfo
 935511aa4b5c01e0762d7b5e52e7913a36210a0021dfb7b5ceb1816974d1381e 126308 php-twig_3.27.0-0+deb13u1_all.deb
Files:
 90acec0322a4e5c8707d37f708a3647d 25508 php optional php-twig-cache-extra_3.27.0-0+deb13u1_all.deb
 27f9ad8fd16232e7be3d9a82f1b9b0c1 24692 php optional php-twig-cssinliner-extra_3.27.0-0+deb13u1_all.deb
 9d69316d893dc5ebeb2ac2cc1cdb76a9 208220 doc optional php-twig-doc_3.27.0-0+deb13u1_all.deb
 12be1eea7b6b8f815239546ac048128e 28368 php optional php-twig-extra-bundle_3.27.0-0+deb13u1_all.deb
 d6466e740dbe378b42cd632d863246f9 29072 php optional php-twig-html-extra_3.27.0-0+deb13u1_all.deb
 ed6d6f244e93f024f46717b6421bde66 24600 php optional php-twig-inky-extra_3.27.0-0+deb13u1_all.deb
 738c5c1995a490dce5e782a86988c469 27684 php optional php-twig-intl-extra_3.27.0-0+deb13u1_all.deb
 50490a72bdf82e79ad4b3318975377cf 25624 php optional php-twig-markdown-extra_3.27.0-0+deb13u1_all.deb
 e6a78fcc834de71a5c49c6ddc788bfec 24836 php optional php-twig-string-extra_3.27.0-0+deb13u1_all.deb
 1602b2614b580a914db6b22dd14d9852 13748 php optional php-twig_3.27.0-0+deb13u1_all-buildd.buildinfo
 834f67876c84a019b1c00cf2d0b4e57c 126308 php optional php-twig_3.27.0-0+deb13u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmoYuEAACgkQmgPNRvTf
/zfcMBAAxvn1lFT1ceziwKrXz84Q+7qUiqtmdaJ3Ex6vs3Pr/R8zpE3aa6yinWRC
SUjJDyUIqnUTVACwjcX55N3zrlM1hhVtWJ15+WcOUNnvVkGfqMIrcniFNRbmA5l9
3X8hXrjj4C4gHIKfIicqQSmu0vgopw7qSjnJW8VVHU+p/VPp5iukE0/sr6mC8CSK
KC8Y5Hd1cHdZwZcX8Hj6ey+yVta/YIlpQgwmR7A10YSSVGMIQvFbAy0EfUZkGKpB
vKYocDJZVnBT1SHGxRunS09C5hq3ZsoEDaLs9eUyS4nEoiCC7pLoo+le91Y95wSk
PlSz+C/a/+q7qlITx0KF4XmJZzHLeRTzC+WQyfAraNKEptrLj8F7/fsS3mS3GxHe
i8HZB+qNxqEjs+gybeg1ps3+7E5FboG4Kg+/xTQLp2z00CRdyTSTLM4H55IySKz7
JTaOA6RXLWkv1IyeQ4tT9ejVz+eLqGDkGBIiiqGT4aPEf4TNSRkk+hym7Stm7rXh
9S2QJjstwGhZc8bQacl5vEQQr6XHGr2ITEhsD+117iN6VNCpItSF128uPQ+240se
vl8iHld8F0MyrbqDpUN5bbX3Wt0MUDwXegJHBrR2CtujiHVNvTI56f23WuAjT1qV
IR5YsR4iZDTyXa8k1mJHPMHjSKCz1HXmQmU8B1MoEDttjppcBkQ=
=f2It
-----END PGP SIGNATURE-----