Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 9 articles for you...
89
security advisorydenial of servicefedoraFedora 42: Composer Critical ANSI Injection Denial of Service Advisory
Version 2.9.3 - 2025-12-30 Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746) Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-13b4dbe546 2026-01-14 01:09:41.794572+00:00 -------------------------------------------------------------------------------- Name : composer Product : Fedora 42 Version : 2.9.3 Release : 1.fc42 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.9.3 - 2025-12-30 Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746) Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677) Fixed update --lock / update mirrors not working when locked packages contain vulnerabilities (#12645) Fixed client-certificate authentication implementation (#12667) Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694) Fixed crash when --bump-after-update is used and the lock file is disabled (#12660) Fixed support for SecureTransport + LibreSSL on macOS (#12615) Fixed display of reasons for why advisories are ignored (#12668) Fixed compatibility issues when git has log.showSignature enabled (#12666) Fixed curl downloader not retrying when a timeout (err 28) failure occurs (#12662) Fixed EventDispatcher requiring a full Composer instance to function(#12629) -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 31 2025 Remi Collet - 2.9.3-1 - update to 2.9.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2428107 - CVE-2025-67746 composer: Composer: Terminal output manipulation leading to Denial of Service [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2428107 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-13b4dbe546' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Jan 14, 2026
•Critical
Fedora
89
security advisorydenial of servicesecurity updateFedora 43: Composer 2.9.3 Moderate DoS Fix FEDORA-2026-0b03072979
Version 2.9.3 - 2025-12-30 Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746) Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-0b03072979 2026-01-14 00:50:55.476166+00:00 -------------------------------------------------------------------------------- Name : composer Product : Fedora 43 Version : 2.9.3 Release : 1.fc43 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.9.3 - 2025-12-30 Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746) Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677) Fixed update --lock / update mirrors not working when locked packages contain vulnerabilities (#12645) Fixed client-certificate authentication implementation (#12667) Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694) Fixed crash when --bump-after-update is used and the lock file is disabled (#12660) Fixed support for SecureTransport + LibreSSL on macOS (#12615) Fixed display of reasons for why advisories are ignored (#12668) Fixed compatibility issues when git has log.showSignature enabled (#12666) Fixed curl downloader not retrying when a timeout (err 28) failure occurs (#12662) Fixed EventDispatcher requiring a full Composer instance to function(#12629) -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 31 2025 Remi Collet - 2.9.3-1 - update to 2.9.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2428108 - CVE-2025-67746 composer: Composer: Terminal output manipulation leading to Denial of Service [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2428108 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-0b03072979' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Jan 14, 2026
•Important
Fedora
91
security advisoryGentooarbitrary code executionGentoo: PHP Library Remote Code Execution Vulnerabilities GLSA-202510-07
Multiple vulnerabilities have been discovered in Composer, the worst of which can lead to arbitrary code execution. . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202508-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Composer: Multiple Vulnerabilities Date: August 06, 2025 Bugs: #838268 ID: 202508-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in Composer, the worst of which can lead to arbitrary code execution. Background ========== Composer is a dependency manager for the PHP programming language. Affected packages ================= Package Vulnerable Unaffected ---------------- ------------ ------------ dev-php/composer
Aug 06, 2025
•Critical
Gentoo
172
security advisoryarbitrary code executionimportantUbuntu 24.04 LTS: USN-7603-1 severe: composer code execution risk
Several security issues were fixed in Composer.. ========================================================================== Ubuntu Security Notice USN-7603-1 June 30, 2025 composer vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Composer. Software Description: - composer: Dependency Manager for PHP Details: Thomas Chauchefoin discovered that Composer did not correctly handle certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24828, CVE-2023-43655) Ed Cradock discovered that Composer did not correctly handle the exclusion of certain files. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821) Martin Haunschmid discovered that Composer did not correctly handle git branch names. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-35241) Maciej Piechota discovered that Composer did not correctly handle VCS branch names. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-35242) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS composer 2.7.1-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS composer 2.2.6-2ubuntu4+esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS composer 1.10.1-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 18.04 LTS composer 1.6.3-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 16.04 LTS composer 1.0.0~beta2-1ubuntu0.1~esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7603-1 CVE-2022-24828, CVE-2023-43655, CVE-2024-24821, CVE-2024-35241, CVE-2024-35242 . Numerous vulnerabilities in Composer for Ubuntu editions present significant dangers necessitating prompt upgrades.. Ubuntu Composer security Arbitrary code execution. . Severity: Critical. LinuxSecurity.com Team
Jul 02, 2025
•Critical
Ubuntu
87
security advisoryDebianstable releaseDebian: DSA-5715-2 Moderate: Composer Git Feature Branch Issue
The update for composer released as DSA 5715 introduced a regression in the handling of git feature branches. Updated composer packages are now available to address this issue. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5715-2
Jun 24, 2024
Debian
89
security advisoryfedorasoftware updateFedora 39: 2024-bb55f8476a Moderate: Composer Command Injection Risk
Version 2.7.7 2024-06-10 Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-bb55f8476a 2024-06-20 08:00:46.156359 -------------------------------------------------------------------------------- Name : composer Product : Fedora 39 Version : 2.7.7 Release : 1.fc39 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.7.7 2024-06-10 Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242) Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957) Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000) Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001) Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c) Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c) Fixed perforce argument escaping (3773f775) Fixed handling of zip bombs when extracting archives (de5f7e32) Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324) Fixed ability for config command toremove autoload keys (#11967) Fixed empty type support in init command (#11999) Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969) Fixed regression showing network errors on PHP
Jun 20, 2024
Fedora
89
security advisorymoderatefedoraFedora 40: FEDORA-2024-9ed24c98cd Moderate: Command Injection Risk
Version 2.7.7 2024-06-10 Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-9ed24c98cd 2024-06-20 01:49:57.623881 -------------------------------------------------------------------------------- Name : composer Product : Fedora 40 Version : 2.7.7 Release : 1.fc40 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.7.7 2024-06-10 Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242) Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957) Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000) Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001) Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c) Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c) Fixed perforce argument escaping (3773f775) Fixed handling of zip bombs when extracting archives (de5f7e32) Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324) Fixed ability for config command toremove autoload keys (#11967) Fixed empty type support in init command (#11999) Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969) Fixed regression showing network errors on PHP
Jun 20, 2024
Fedora
197
security advisorydebiandependency managementDebian 10: DLA-3838-1 Moderate: Composer Command Injection Risk
It was discovered that there were a number of command-line injection vulnerabilities in Composer, a popular dependency manager for PHP. The 'install', 'status', 'reinstall' and 'remove' functionality had . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3838-1
Jun 19, 2024
Debian LTS
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!