Debian 10032 Published by

A twig security update has been released for Debian GNU/Linux 10 to address a potential arbitrary file read vulnerability.

DLA 3147-1: twig security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3147-1 Chris Lamb
October 11, 2022
- -------------------------------------------------------------------------

Package : twig
Version : 2.6.2-2+deb10u1
CVE ID : CVE-2022-39261
Debian Bug : #1020991

It was discovered that there was a potential arbitrary file read
vulnerability in twig, a PHP templating library. It was caused by
insufficient validation of template names in 'source' and 'include'

For Debian 10 buster, this problem has been fixed in version

We recommend that you upgrade your twig packages.

For the detailed security status of twig please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: