Описание
Security update for php-composer2
This update for php-composer2 fixes the following issues:
- CVE-2023-43655: Fixed a remote code execution issue that could be triggered if users published a web-accessible composer.phar file (bsc#1215859).
Список пакетов
Container bci/php-apache:latest
php-composer2-2.2.3-150400.3.6.1
Container bci/php-fpm:latest
php-composer2-2.2.3-150400.3.6.1
Container bci/php:latest
php-composer2-2.2.3-150400.3.6.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4
php-composer2-2.2.3-150400.3.6.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP5
php-composer2-2.2.3-150400.3.6.1
openSUSE Leap 15.4
php-composer2-2.2.3-150400.3.6.1
openSUSE Leap 15.5
php-composer2-2.2.3-150400.3.6.1
Ссылки
- Link for SUSE-SU-2023:4041-1
- E-Mail link for SUSE-SU-2023:4041-1
- SUSE Security Ratings
- SUSE Bug 1215859
- SUSE CVE CVE-2023-43655 page
Описание
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.
Затронутые продукты
Container bci/php-apache:latest:php-composer2-2.2.3-150400.3.6.1
Container bci/php-fpm:latest:php-composer2-2.2.3-150400.3.6.1
Container bci/php:latest:php-composer2-2.2.3-150400.3.6.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4:php-composer2-2.2.3-150400.3.6.1
Ссылки
- CVE-2023-43655
- SUSE Bug 1215859