-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-9ed24c98cd 2024-06-20 01:49:57.623881 -------------------------------------------------------------------------------- Name : composer Product : Fedora 40 Version : 2.7.7 Release : 1.fc40 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.7.7 2024-06-10 Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242) Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957) Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000) Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001) Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c) Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c) Fixed perforce argument escaping (3773f775) Fixed handling of zip bombs when extracting archives (de5f7e32) Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324) Fixed ability for config command to remove autoload keys (#11967) Fixed empty type support in init command (#11999) Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969) Fixed regression showing network errors on PHP <8.1 (#11974) Fixed some color bleed from a few warnings (#11972) -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 11 2024 Remi Collet <remi@xxxxxxxxxxxx> - 2.7.7-1 - update to 2.7.7 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2291429 - CVE-2024-35242 composer: crafted branch names can lead to command injection https://bugzilla.redhat.com/show_bug.cgi?id=2291429 [ 2 ] Bug #2291430 - CVE-2024-35241 composer: crafted branch names in the repository can be used to execute code https://bugzilla.redhat.com/show_bug.cgi?id=2291430 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-9ed24c98cd' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
