Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -1 articles for you...
89
security advisoryfedoraimportantFedora 43 Composer Important Fix GitHub Token Validation 2026-3e8172bbdb
Version 2.9.8 - 2026-05-13 Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-3e8172bbdb 2026-05-23 15:47:52.432854+00:00 -------------------------------------------------------------------------------- Name : composer Product : Fedora 43 Version : 2.9.8 Release : 1.fc43 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.9.8 - 2026-05-13 Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2) -------------------------------------------------------------------------------- ChangeLog: * Wed May 13 2026 Remi Collet - 2.9.8-1 - update to 2.9.8 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-3e8172bbdb' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
May 23, 2026
•Important
Fedora
89
security advisoryfedoradisclosureFedora 44 Composer 2.9.8 Security GitHub Token Fix Advisory 2026-bd05cb6c4d
Version 2.9.8 - 2026-05-13 Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-bd05cb6c4d 2026-05-23 00:56:16.173256+00:00 -------------------------------------------------------------------------------- Name : composer Product : Fedora 44 Version : 2.9.8 Release : 1.fc44 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.9.8 - 2026-05-13 Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2) -------------------------------------------------------------------------------- ChangeLog: * Wed May 13 2026 Remi Collet - 2.9.8-1 - update to 2.9.8 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-bd05cb6c4d' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
May 23, 2026
•Important
Fedora
89
security advisoryfedoraphpFedora 44 Composer Security Advisory CVE-2026-40176 Command Injection Issue
Version 2.9.7 - 2026-04-14 Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802) Version 2.9.6 - 2026-04-14 Security: Fixed command injection via malicious Perforce reference (GHSA-. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-1140c02041 2026-04-25 01:21:36.173013+00:00 -------------------------------------------------------------------------------- Name : composer Product : Fedora 44 Version : 2.9.7 Release : 1.fc44 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.9.7 - 2026-04-14 Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802) Version 2.9.6 - 2026-04-14 Security: Fixed command injection via malicious Perforce reference (GHSA- gqw4-4w2p-838q / CVE-2026-40261) Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176) Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d) Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e) Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088) Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764) Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758) Fixed GitHub API authentication errors not being visible to the user (#12737) Fixed some platform package parsing failing when Composer runsin web SAPIs (#12735) Fixed error reporting for clarity when a constraint cannot be parsed (#12743) -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 14 2026 Remi Collet - 2.9.7-1 - update to 2.9.7 * Tue Apr 14 2026 Remi Collet - 2.9.6-1 - update to 2.9.6 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2459009 - CVE-2026-40261 composer: command injection via malicious Perforce source reference/url [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459009 [ 2 ] Bug #2459011 - CVE-2026-40176 composer: command injection via malicious Perforce repository definition [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459011 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-1140c02041' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Apr 25, 2026
•Important
Fedora
89
security advisoryfedoraphpFedora 43 Composer Key Command Injection Patch FEDORA-2026-08d2b77c9b
Version 2.9.7 - 2026-04-14 Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802) Version 2.9.6 - 2026-04-14 Security: Fixed command injection via malicious Perforce reference (GHSA-. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-02c1f66b6a 2026-04-16 00:53:32.960292+00:00 -------------------------------------------------------------------------------- Name : composer Product : Fedora 43 Version : 2.9.7 Release : 1.fc43 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.9.7 - 2026-04-14 Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802) Version 2.9.6 - 2026-04-14 Security: Fixed command injection via malicious Perforce reference (GHSA- gqw4-4w2p-838q / CVE-2026-40261) Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176) Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d) Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e) Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088) Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764) Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758) Fixed GitHub API authentication errors not being visible to the user (#12737) Fixed some platform package parsing failing when Composer runsin web SAPIs (#12735) Fixed error reporting for clarity when a constraint cannot be parsed (#12743) -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 14 2026 Remi Collet - 2.9.7-1 - update to 2.9.7 * Tue Apr 14 2026 Remi Collet - 2.9.6-1 - update to 2.9.6 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-02c1f66b6a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Apr 16, 2026
•Important
Fedora
89
security advisorydenial of servicesecurity updateFedora 43: Composer 2.9.3 Moderate DoS Fix FEDORA-2026-0b03072979
Version 2.9.3 - 2025-12-30 Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746) Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-0b03072979 2026-01-14 00:50:55.476166+00:00 -------------------------------------------------------------------------------- Name : composer Product : Fedora 43 Version : 2.9.3 Release : 1.fc43 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.9.3 - 2025-12-30 Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746) Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677) Fixed update --lock / update mirrors not working when locked packages contain vulnerabilities (#12645) Fixed client-certificate authentication implementation (#12667) Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694) Fixed crash when --bump-after-update is used and the lock file is disabled (#12660) Fixed support for SecureTransport + LibreSSL on macOS (#12615) Fixed display of reasons for why advisories are ignored (#12668) Fixed compatibility issues when git has log.showSignature enabled (#12666) Fixed curl downloader not retrying when a timeout (err 28) failure occurs (#12662) Fixed EventDispatcher requiring a full Composer instance to function(#12629) -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 31 2025 Remi Collet - 2.9.3-1 - update to 2.9.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2428108 - CVE-2025-67746 composer: Composer: Terminal output manipulation leading to Denial of Service [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2428108 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-0b03072979' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Jan 14, 2026
•Important
Fedora
89
security advisorycriticalsoftware updateFedora 39: 2023-d5ab1f0b44 Important Advisory on Composer RCE Risk
**Version 2.6.5** - 2023-10-06 * Fixed error when vendor dir contains broken symlinks (#11670) * Fixed composer.lock missing from Composer's zip archives (#11674) * Fixed AutoloadGenerator::dump() non-BC signature change in 2.6.4 (cb363b0e8) ---- **Version 2.6.4** - 2023-09-29 * Security: Fixed possible remote code execution vulnerability if composer.phar is publicly. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-d5ab1f0b44 2023-11-03 18:20:20.952464 -------------------------------------------------------------------------------- Name : composer Product : Fedora 39 Version : 2.6.5 Release : 1.fc39 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: **Version 2.6.5** - 2023-10-06 * Fixed error when vendor dir contains broken symlinks (#11670) * Fixed composer.lock missing from Composer's zip archives (#11674) * Fixed AutoloadGenerator::dump() non-BC signature change in 2.6.4 (cb363b0e8) ---- **Version 2.6.4** - 2023-09-29 * Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / **CVE-2023-43655**) * Fixed json output of abandoned packages in audit command (#11647) * Performance improvement in pool optimization step (#11638) * Performance improvement in `show -a ` (#11659) -------------------------------------------------------------------------------- ChangeLog: * Fri Oct 6 2023 Remi Collet - 2.6.5-1 - update to 2.6.5 * Fri Sep 29 2023 Remi Collet - 2.6.4-1 - update to2.6.4 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2241496 - CVE-2023-43655 composer: Remote Code Execution via web-accessible composer.phar https://bugzilla.redhat.com/show_bug.cgi?id=2241496 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-d5ab1f0b44' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Nov 03, 2023
•Important
Fedora
89
security advisoryupdatecriticalFedora 28 FEDORA-2018-42b49413a6 Critical Composer Update
**Version 1.6.4** - 2018-04-13 * Security fixes in some edge case scenarios, recommended update for all users * Fixed regression in version guessing of path repositories * Fixed removing aliased packages from the repository, which might resolve some odd update bugs * Fixed updating of package URLs for GitLab * Fixed run-script --list failing when script handlers were defined * Fixed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-42b49413a6 2018-04-27 03:58:32.276830 --------------------------------------------------------------------------------Name : composer Product : Fedora 28 Version : 1.6.4 Release : 1.fc28 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ --------------------------------------------------------------------------------Update Information: **Version 1.6.4** - 2018-04-13 * Security fixes in some edge case scenarios, recommended update for all users * Fixed regression in version guessing of path repositories * Fixed removing aliased packages from the repository, which might resolve some odd update bugs * Fixed updating of package URLs for GitLab * Fixed run-script --list failing when script handlers were defined * Fixed init command not respecting the current php version when selecting package versions * Fixed handling of uppercase package names in why/why-not commands * Fixed exclude-from-classmap symlink handling * Fixed filesystem permissions of PEAR binaries * Improved performance of subversion repos * Other minor fixes --------------------------------------------------------------------------------ChangeLog: * Mon Apr 16 2018 Remi Collet - 1.6.4-1 - update to 1.6.4 * Tue Feb 20 2018 Remi Collet - 1.6.3-4 - switch to Symfony2only --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-42b49413a6' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Apr 27, 2018
•Critical
Fedora
89
security advisorymoderateFedoraFedora 28: FEDORA-2019-8d1ac3a913 Critical: OpenSSL Security Update
**Version 1.6.4** - 2018-04-13 * Security fixes in some edge case scenarios, recommended update for all users * Fixed regression in version guessing of path repositories * Fixed removing aliased packages from the repository, which might resolve some odd update bugs * Fixed updating of package URLs for GitLab * Fixed run-script --list failing when script handlers were defined * Fixed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-9d1ff4b802 2018-04-25 17:58:40.817318 --------------------------------------------------------------------------------Name : composer Product : Fedora 27 Version : 1.6.4 Release : 1.fc27 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ --------------------------------------------------------------------------------Update Information: **Version 1.6.4** - 2018-04-13 * Security fixes in some edge case scenarios, recommended update for all users * Fixed regression in version guessing of path repositories * Fixed removing aliased packages from the repository, which might resolve some odd update bugs * Fixed updating of package URLs for GitLab * Fixed run-script --list failing when script handlers were defined * Fixed init command not respecting the current php version when selecting package versions * Fixed handling of uppercase package names in why/why-not commands * Fixed exclude-from-classmap symlink handling * Fixed filesystem permissions of PEAR binaries * Improved performance of subversion repos * Other minor fixes --------------------------------------------------------------------------------ChangeLog: * Mon Apr 16 2018 Remi Collet - 1.6.4-1 - update to 1.6.4 * Tue Feb 20 2018 Remi Collet - 1.6.3-4 - switch to Symfony2only * Thu Feb 1 2018 Remi Collet - 1.6.3-1 - Update to 1.6.3 * Sun Jan 7 2018 Remi Collet - 1.6.2-1 - Update to 1.6.2 * Thu Jan 4 2018 Remi Collet - 1.6.1-1 - Update to 1.6.1 * Thu Jan 4 2018 Remi Collet - 1.6.0-2 - open https://github.com/composer/composer/pull/6974 Fix dependency on composer/spdx-licenses - raise dependency on composer/spdx-licenses 1.2 * Mon Dec 18 2017 Remi Collet - 1.5.6-1 - Update to 1.5.6 - switch to symfony package names * Fri Dec 1 2017 Remi Collet - 1.5.5-1 - Update to 1.5.5 * Fri Dec 1 2017 Remi Collet - 1.5.4-1 - Update to 1.5.4 * Fri Dec 1 2017 Remi Collet - 1.5.3-1 - Update to 1.5.3 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-9d1ff4b802' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Apr 25, 2018
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!