Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 523
Alerts This Week
Warning Icon 1 523

Fedora 39: 2024-bb55f8476a Moderate: Composer Command Injection Risk

fedora
Calendar Grey June 20, 2024
Scroller Fedora
Security notice issued for Fedora 39 composer to mitigate risks from command injections through harmful branch identifications.
Version 2.7.7 2024-06-10 Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) Security: Fixed multiple command injections via mali...

Summary

Composer helps you declare, manage and install dependencies of PHP projects,

ensuring you have the right stack everywhere.

Documentation: https://getcomposer.org/doc/

Update Information:

Version 2.7.7 2024-06-10 Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242) Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957) Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000) Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001) Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c) Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c) Fixed perforce argument escaping (3773f775) Fixed handling of zip bombs when extracting archives (de5f7e32) Fixed Windows command parameter escaping to prevent abuse of unicode characters with bes...

Change Log

* Tue Jun 11 2024 Remi Collet - 2.7.7-1 - update to 2.7.7

References


[ 1 ] Bug #2291429 - CVE-2024-35242 composer: crafted branch names can lead to command injection https://bugzilla.redhat.com/show_bug.cgi?id=2291429 [ 2 ] Bug #2291430 - CVE-2024-35241 composer: crafted branch names in the repository can be used to execute code https://bugzilla.redhat.com/show_bug.cgi?id=2291430

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-bb55f8476a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Name: composer
Product: Fedora 39
Version: 2.7.7
Release: 1.fc39
Summary: Dependency Manager for PHP

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.