-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Jun 2026 05:22:19 +0200
Source: php-twig
Architecture: source
Version: 3.5.1-1+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Closes: 1086884
Changes:
 php-twig (3.5.1-1+deb12u2) bookworm-security; urgency=medium
 .
   * Backport security fixes from upstream
     - Fix sandbox handling for __toString() [CVE-2024-51754]
       (Closes: #1086884)
     - Pre-escape HTML input on the `spaceless` [CVE-2026-46628]
     - Fix unbounded memoisation of `IntlDateFormatter` / `NumberFormatter`
       [CVE-2026-46629]
     - Fix sandbox bypass: PHP code injection via {% use %} template name
       [CVE-2026-46633]
     - Fix XSS and pre-escape input on HTML-emitting filters in the extras
       [CVE-2026-46637]
     - [Profiler] Escape template and profile names in `HtmlDumper`
       [CVE-2026-47730]
   * Update expected output with php-symfony-intl latest update
Checksums-Sha1:
 44e1668f485bdc8dc42a4d2264072bf964c2ed14 2910 php-twig_3.5.1-1+deb12u2.dsc
 a7c3f886bff99952262bb9b3bab9fd62c2fadaf5 26476 php-twig_3.5.1-1+deb12u2.debian.tar.xz
 3854c1a47a7d96a0a192a1e81b627bf870abf7be 14295 php-twig_3.5.1-1+deb12u2_amd64.buildinfo
Checksums-Sha256:
 65e9b2f450d3093b058f5dbab926fb5577e595dbd98b1b1c8e86e413c6f53342 2910 php-twig_3.5.1-1+deb12u2.dsc
 9497fd3c1c8ad90e38a8e772e33ab2c0c9815318ad116e3988c965c846620c21 26476 php-twig_3.5.1-1+deb12u2.debian.tar.xz
 d0a3c69e8c25cce58f9cf2b99107f98924b8efac3192712a20366e037b818cb3 14295 php-twig_3.5.1-1+deb12u2_amd64.buildinfo
Files:
 b8a51bb78d260303637e9443c5ff5e6b 2910 php optional php-twig_3.5.1-1+deb12u2.dsc
 80a9984d1f60e3f754fbc75169490515 26476 php optional php-twig_3.5.1-1+deb12u2.debian.tar.xz
 edb32a0afb6c03980c434b0cc94eb485 14295 php optional php-twig_3.5.1-1+deb12u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoewCoSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08ZM8H+wTTGVJsuZQtcfkuueXBDfWyR76JHYAe
8lJDSnGZ5O+1Sm5ucjPbDvEKKI8uTTAQJDE+ppAm95evx1yaay2JZXid8JNnzRS7
Cg6tXF7OiypM8EUK6YvCYYuqIZ37CiRc3zr4m/4/CMh9DeOaKzj1W5WH5CVuM5UX
4KTWgqI0tKNx7En+wv0BtKiBy1SM/D5vlKwDSkQTx3r6FyfiqS+EaNNSGOPCWj69
x2zpXuhVR/hXHfIgSv/kOitbiR9NXdMt27oEczTg/a3N0Fn4eUfkRfzIyCjZIHjn
0QA3YYNJQGqcj33sWwCammnPvvgsi/rtx8jkAaoUI/kjwKDyvo/544Q=
=iwHk
-----END PGP SIGNATURE-----