This update for php-composer2 fixes the following issues
* CVE-2026-40176: command injection via malicious Perforce repository
definition (bsc#1262254).
* CVE-2026-40261: command injection via malicious Perforce source
reference/url (bsc#1262255).
Changes for php-composer2:
* version update to 2.2.27 (align with upstream LTS version)
* Security: Hardened git/hg/perforce/fossil identifier validation to ensure
branch names starting with - do not cause issues (246f807b, 246f807b,
246f807b)
* Security: Fixed Perforce unescaped user input in queryP4User shell command
(246f807b)
* Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing
(21ffece62)
* Fixed issue handling paths with = in them on Windows (#11568)
* version 2.2.26 2025-12-30
* Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g /
CVE-2025-67746)
* version 2.2.25 2024-12-11
* Fixed deprecation notices appearing on this LTS version in case it is used
...
Read the Full Advisory## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-1970=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1970=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1970=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1970=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1970=1
* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1970=1
* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1970=1
* SUSE Linux Enterprise...
Read the Full Advisory* openSUSE Leap 15.4 (noarch)
* php-composer2-2.2.27-150400.3.18.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* php-composer2-2.2.27-150400.3.18.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* php-composer2-2.2.27-150400.3.18.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* php-composer2-2.2.27-150400.3.18.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
* php-composer2-2.2.27-150400.3.18.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* php-composer2-2.2.27-150400.3.18.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
* php-composer2-2.2.27-150400.3.18.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* php-composer2-2.2.27-150400.3.18.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
* php-composer2-2.2.27-150400.3.18.1
* bsc#1262254
* bsc#1262255
## References:
* https://www.suse.com/security/cve/CVE-2022-24828.html
* https://www.suse.com/security/cve/CVE-2023-43655.html
* https://www.suse.com/security/cve/CVE-2024-24821.html
* https://www.suse.com/security/cve/CVE-2024-35241.html
* https://www.suse.com/security/cve/CVE-2024-35242.html
* https://www.suse.com/security/cve/CVE-2025-67746.html
* https://www.suse.com/security/cve/CVE-2026-40176.html
* https://www.suse.com/security/cve/CVE-2026-40261.html
* https://bugzilla.suse.com/show_bug.cgi?id=1262254
* https://bugzilla.suse.com/show_bug.cgi?id=1262255
Get the latest Linux and open source security news straight to your inbox.