Alerts This Week
Warning Icon 1 687
Alerts This Week
Warning Icon 1 687

Fedora 42 Composer Security Issue Command Injection Fix 2026-d91f313a63

fedora
Calendar Grey April 23, 2026
Dist Fedora Esm H88
Fixes security issue for composer in Fedora 42 addressing command injection. Learn more about the recent updates.
Version 2.9.7 - 2026-04-14 Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802) Version 2.9.6 - 2026-04-14 Security: Fi...

Summary

Composer helps you declare, manage and install dependencies of PHP projects,

ensuring you have the right stack everywhere.

Documentation: https://getcomposer.org/doc/

Update Information:

Version 2.9.7 - 2026-04-14 Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802) Version 2.9.6 - 2026-04-14 Security: Fixed command injection via malicious Perforce reference (GHSA- gqw4-4w2p-838q / CVE-2026-40261) Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176) Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d) Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e) Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088) Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764) Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758) Fixed GitHub API authentication errors not being visible t...

Topics%20covered

Topics Covered

security advisory fedora update software fix command injection application

Change Log

* Tue Apr 14 2026 Remi Collet - 2.9.7-1 - update to 2.9.7 * Tue Apr 14 2026 Remi Collet - 2.9.6-1 - update to 2.9.6

References


[ 1 ] Bug #2459009 - CVE-2026-40261 composer: command injection via malicious Perforce source reference/url [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459009 [ 2 ] Bug #2459011 - CVE-2026-40176 composer: command injection via malicious Perforce repository definition [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459011

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-d91f313a63' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: composer
Product: Fedora 42
Version: 2.9.7
Release: 1.fc42
URL: https://getcomposer.org/
Summary: Dependency Manager for PHP

Topics%20covered

Topics Covered

security advisory fedora update software fix command injection application

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here