openSUSE Security Update: Security update for php-composer

Announcement ID:    openSUSE-SU-2021:1289-1
Rating:             important
References:         #1185376 #1187416 
Cross-References:   CVE-2021-29472
CVSS scores:
                    CVE-2021-29472 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Leap 15.2
                    openSUSE Backports SLE-15-SP3
                    openSUSE Backports SLE-15-SP2
                    openSUSE Backports SLE-15-SP1

   An update that solves one vulnerability and has one errata
   is now available.


   This update for php-composer fixes the following issues:

   - Require php-mbstring as requested in boo#1187416

   - Version 1.10.22

     * Security: Fixed command injection vulnerability in
       HgDriver/HgDownloader and hardened other VCS drivers and downloaders
       (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472), boo#1185376

   - Version 1.10.21

     * Fixed support for new GitHub OAuth token format
     * Fixed processes silently ignoring the CWD when it does not exist

   - Version 1.10.20

     * Fixed exclude-from-classmap causing regex issues when having too many
     * Fixed compatibility issue with Symfony 4/5

   - Version 1.10.17

     * Fixed Bitbucket API authentication issue
     * Fixed parsing of Composer 2 lock files breaking in some rare conditions

   - Version 1.10.16

     * Added warning to validate command for cases where packages provide/
       replace a package that they also require
     * Fixed JSON schema validation issue with PHPStorm
     * Fixed symlink handling in archive command

   - Version 1.10.15

     * Fixed path repo version guessing issue

   - Version 1.10.14

     * Fixed version guesser to look at remote branches as well as local
     * Fixed path repositories version guessing to handle edge cases where
       version is different from the VCS-guessed version
     * Fixed COMPOSER env var causing issues when combined with the global
     * Fixed a few issues dealing with PHP without openssl extension (not
       recommended at all but sometimes needed for testing)

   - Version 1.10.13

     * Fixed regressions with old version validation
     * Fixed invalid root aliases not being reported

   - Version 1.10.12

     * Fixed regressions with old version validation

   - Version 1.10.11

     * Fixed more PHP 8 compatibility issues
     * Fixed regression in handling of CTRL-C when xdebug is loaded
     * Fixed status handling of broken symlinks

   - Version 1.10.10

     * Fixed create-project not triggering events while installing the root
     * Fixed PHP 8 compatibility issue
     * Fixed self-update to avoid automatically upgrading to the next major
       version once it becomes stable

   - Version 1.10.9

     * Fixed Bitbucket redirect loop when credentials are outdated
     * Fixed GitLab auth prompt wording
     * Fixed self-update handling of files requiring admin permissions to
       write to on Windows (it now does a UAC prompt)
     * Fixed parsing issues in funding.yml files

   - Version 1.10.8

     * Fixed compatibility issue with git being configured to show signatures
       by default
     * Fixed discarding of local changes when updating packages to include
       untracked files
     * Several minor fixes

   - Version 1.10.7

     * Fixed PHP 8 deprecations
     * Fixed detection of pcntl_signal being in disabled_functions when
       pcntl_async_signal is allowed

   - Version 1.10.6

     * Fixed version guessing to take composer-runtime-api and
       composer-plugin-api requirements into account to avoid selecting
       packages which require Composer 2
     * Fixed package name validation to allow several dashes following each
     * Fixed post-status-cmd script not firing when there were no changes to
       be displayed
     * Fixed composer-runtime-api support on Composer 1.x, the package is now
       present as 1.0.0
     * Fixed support for composer show --name-only --self
     * Fixed detection of GitLab URLs when handling authentication in some

   - Version 1.10.5

     * Fixed self-update on PHP <5.6, seriously please upgrade
     * Fixed 1.10.2 regression with PATH resolution in scripts

   - Version 1.10.4

     * Fixed 1.10.2 regression in path symlinking with absolute path repos

   - Version 1.10.3

     * Fixed invalid --2 flag warning in self-update when no channel is

   - Version 1.10.2

     * Added --1 flag to self-update command which can be added to automated
       self-update runs to make sure it won't automatically jump to 2.0 once
       that is released
     * Fixed path repository symlinks being made relative when the repo url
       is defined as absolute paths
     * Fixed potential issues when using "composer ..." in scripts and
       composer/composer was also required in the project
     * Fixed 1.10.0 regression when downloading GitHub archives from non-API
     * Fixed handling of malformed info in fund command
     * Fixed Symfony5 compatibility issues in a few commands

   - Version 1.10.1

     * Fixed path repository warning on empty path when using wildcards
     * Fixed superfluous warnings when generating optimized autoloaders

   - Version 1.10.0

     * Breaking: composer global exec ... now executes the process in the
       current working directory instead of executing it in the global
     * Warning: Added a warning when class names are being loaded by a PSR-4
       or PSR-0 rule only due to classmap optimization, but would not
       otherwise be autoloadable. Composer 2.0 will stop autoloading these
       classes so make sure you fix your autoload configs.
     * Added new funding key to composer.json to describe ways your package's
       maintenance can be funded. This reads info from GitHub's FUNDING.yml
       by default so better configure it there so it shows on GitHub and
     * Added composer fund command to show funding info of your dependencies
     * Added bearer auth config to authenticate using Authorization: Bearer
     * Added plugin-api-version in composer.lock so third-party tools can
       know which Composer version was used to generate a lock file
     * Added support for --format=json output for show command when showing a
       single package
     * Added support for configuring suggestions using config command, e.g.
       composer config some text
     * Added support for configuring fine-grained preferred-install using
       config command, e.g. composer config* dist
     * Added @putenv script handler to set environment variables from
       composer.json for following scripts
     * Added lock option that can be set to false, in which case no
       composer.lock file will be generated
     * Added --add-repository flag to create-project command which will
       persist the repo given in --repository into the composer.json of the
       package being installed
     * Fixed issue where --no-dev autoload generation was excluding some
       packages which should not have been excluded
     * Added support for IPv6 addresses in NO_PROXY
     * Added package homepage display in the show command
     * Added debug info about HTTP authentications
     * Added Symfony 5 compatibility
     * Added --fixed flag to require command to make it use a fixed
       constraint instead of a ^x.y constraint when adding the requirement
     * Fixed exclude-from-classmap matching subsets of directories e.g. foo/
       was excluding foobar/
     * Fixed archive command to persist file permissions inside the zip files
     * Fixed init/require command to avoid suggesting packages which are
       already selected in the search results
     * Fixed create-project UX issues
     * Fixed filemtime for vendor/composer/* files is now only changing when
       the files actually change
     * Fixed issues detecting docker environment with an active open_basedir

   - Version 1.9.3
     * Fixed GitHub deprecation of access_token query parameter, now using
       Authorization header

   - Version 1.9.2
     * Fixed minor git driver bugs
     * Fixed schema validation for version field to allow dev-* versions too
     * Fixed external processes' output being formatted even though it should
     * Fixed issue with path repositories when trying to install feature

   - Version 1.9.1
     * Fixed various credential handling issues with gitlab and github
     * Fixed credentials being present in git remotes in Composer cache and
       vendor directory when not using SSH keys
     * Fixed composer why not listing replacers as a reason something is
     * Fixed various PHP 7.4 compatibility issues
     * Fixed root warnings always present in Docker containers, setting
       COMPOSER_ALLOW_SUPERUSER is not necessary anymore
     * Fixed GitHub access tokens leaking into debug-verbosity output
     * Fixed several edge case issues detecting GitHub, Bitbucket and GitLab
       repository types
     * Fixed Composer asking if you want to use a composer.json in a parent
       directory when ran in non-interactive mode
     * Fixed classmap autoloading issue finding classes located within a few
       non-PHP context blocks (?>...