Debian alert DLA-3838-1 (composer)
| From: | Chris Lamb <lamby@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 3838-1] composer security update | |
| Date: | Wed, 19 Jun 2024 12:56:03 -0700 | |
| Message-ID: | <171882435847.114689.3608376183243090339@copycat> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3838-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb June 19, 2024 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : composer Version : 1.8.4-1+deb10u4 CVE IDs : CVE-2024-35241 CVE-2024-35242 Debian Bugs : 1073125 1073126 It was discovered that there were a number of command-line injection vulnerabilities in Composer, a popular dependency manager for PHP. The 'install', 'status', 'reinstall' and 'remove' functionality had issues when used with Git or Hg repositories which used maliciously- crafted branch names, which could have been abused to execute arbitrary shell commands. For Debian 10 buster, this problem has been fixed in version 1.8.4-1+deb10u4. We recommend that you upgrade your composer packages. For the detailed security status of composer please refer to its security tracker page at: https://security-tracker.debian.org/tracker/composer Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmZzLaEACgkQHpU+J9Qx HlilxRAAuLkSbP9PXBiPlxx/QuVX0wBRmkGESfxptKfP5MC1S2To8Itm03eTq9c6 N7vQi93xpxt6Xldji9Fuo+iK3j6iXS2oVCeuuij7kqmAkhGL9DeeK09rP5X/XJ3b t9IWu7UWlBh79rWco/3hRFXs6qSJrwxEpJXQkeFKyDEOqAaNkHsvclZQcIYknOML xQhkHGN8bdxrwhPhR7TmFoaUQpeHf31O7D4NW9zDyPcs3ePhqrTuUY9vQUJSe56L 1fQa6d1PM+TacfUkV344yPOJFqpfLFRdthloi/LstENAZ6K9eWbZwINnh8JNaoOP /LigyI3qqiw/EYR8ViLUskBP1r4bfuGroSdqSjA4933fagsingkrr/77XRXs9twF 4SME9d/fapR+s6NcZs9Q+bA495Edn8jZgt1R4oq1NPRU5atPykdM1RTZ8oWJudf0 jTk9AXmQ1ggRAisEZQxf8ToVk0PWZkQCxr/w7ah+Zdm4ILQGtekiR92Kfs5+GS9R BEwB2VBmBnZW4v/8OQSrWvESb2sk1tsQXPfEaR4bXoMhNwh9CMLeTDylmWdWIQZ/ /dW++7nZxxMCYCcjPwA3xnQptbWk5izufoObxOh3zThuroCaTRainxd6ZKajBcw0 c0tjh84XCpRsdGfzPRckjtlLFDBSGNX4ItJpcHO9ff9pA4VZvaY= =hFRs -----END PGP SIGNATURE-----