Hello. Instead of no-dsa, I think we can mark CVE-2018-13818 as not-affected in stretch. I was unable to reproduce POC mentioned in CVE reference[1] in stretch. Also please consider upstream devs' comments[1]
--abhijith [1] - https://www.cvedetails.com/cve/CVE-2018-13818/ [2] - https://github.com/twigphp/Twig/issues/2743#issuecomment-418817089
