-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-bb55f8476a 2024-06-20 08:00:46.156359 --------------------------------------------------------------------------------
Name : composer Product : Fedora 39 Version : 2.7.7 Release : 1.fc39 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere.
Documentation: https://getcomposer.org/doc/
-------------------------------------------------------------------------------- Update Information:
Version 2.7.7 2024-06-10 Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242) Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957) Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000) Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001) Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c) Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c) Fixed perforce argument escaping (3773f775) Fixed handling of zip bombs when extracting archives (de5f7e32) Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324) Fixed ability for config command to remove autoload keys (#11967) Fixed empty type support in init command (#11999) Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969) Fixed regression showing network errors on PHP <8.1 (#11974) Fixed some color bleed from a few warnings (#11972) -------------------------------------------------------------------------------- ChangeLog:
* Tue Jun 11 2024 Remi Collet remi@remirepo.net - 2.7.7-1 - update to 2.7.7 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2291429 - CVE-2024-35242 composer: crafted branch names can lead to command injection https://bugzilla.redhat.com/show_bug.cgi?id=2291429 [ 2 ] Bug #2291430 - CVE-2024-35241 composer: crafted branch names in the repository can be used to execute code https://bugzilla.redhat.com/show_bug.cgi?id=2291430 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-bb55f8476a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------