Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Fedora 40: FEDORA-2024-9ed24c98cd Moderate: Command Injection Risk

fedora
Calendar Grey June 20, 2024
Dist Fedora Esm H88
Fedora 40 has released a security update addressing command injection vulnerabilities associated with harmful branch names in Composer. More information can be found here.
Version 2.7.7 2024-06-10 Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) Security: Fixed multiple command injections via mali...

Summary

Composer helps you declare, manage and install dependencies of PHP projects,

ensuring you have the right stack everywhere.

Documentation: https://getcomposer.org/doc/

Update Information:

Version 2.7.7 2024-06-10 Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242) Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957) Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000) Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001) Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c) Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c) Fixed perforce argument escaping (3773f775) Fixed handling of zip bombs when extracting archives (de5f7e32) Fixed Windows command parameter escaping to prevent abuse of unicode characters with bes...

Topics%20covered

Topics Covered

security advisory moderate fedora software update command injection composer malicious branch

Change Log

* Tue Jun 11 2024 Remi Collet - 2.7.7-1 - update to 2.7.7

References


[ 1 ] Bug #2291429 - CVE-2024-35242 composer: crafted branch names can lead to command injection https://bugzilla.redhat.com/show_bug.cgi?id=2291429 [ 2 ] Bug #2291430 - CVE-2024-35241 composer: crafted branch names in the repository can be used to execute code https://bugzilla.redhat.com/show_bug.cgi?id=2291430

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-9ed24c98cd' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Name: composer
Product: Fedora 40
Version: 2.7.7
Release: 1.fc40
URL: https://getcomposer.org/
Summary: Dependency Manager for PHP

Topics%20covered

Topics Covered

security advisory moderate fedora software update command injection composer malicious branch

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here