Several security issues were fixed in Composer.
Software Description:
- composer: Dependency Manager for PHP
Details:
Thomas Chauchefoin discovered that Composer did not correctly handle
certain arguments. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-24828, CVE-2023-43655)
Ed Cradock discovered that Composer did not correctly handle the exclusion
of certain files. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821)
Martin Haunschmid discovered that Composer did not correctly handle git
branch names. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-35241)
Maciej Piechota discovered that Composer did not correctly handle VCS
branch names. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-35242)
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
composer 2.7.1-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
composer 2.2.6-2ubuntu4+esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
composer 1.10.1-1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
composer 1.6.3-1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
composer 1.0.0~beta2-1ubuntu0.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.https://ubuntu.com/security/notices/USN-7603-1
CVE-2022-24828, CVE-2023-43655, CVE-2024-24821, CVE-2024-35241,
CVE-2024-35242
Get the latest Linux and open source security news straight to your inbox.