Описание
Security update for php-composer2
This update for php-composer2 fixes the following issues:
- CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted branch names (bsc#1226181).
- CVE-2024-35242: Fixed command injection via specially crafted branch names during repository cloning (bsc#1226182).
Список пакетов
Container bci/php-apache:latest
Container bci/php-fpm:latest
Container bci/php:latest
SUSE Linux Enterprise Module for Web and Scripting 15 SP6
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2024:2107-1
- E-Mail link for SUSE-SU-2024:2107-1
- SUSE Security Ratings
- SUSE Bug 1226181
- SUSE Bug 1226182
- SUSE CVE CVE-2024-35241 page
- SUSE CVE CVE-2024-35242 page
Описание
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.
Затронутые продукты
Ссылки
- CVE-2024-35241
- SUSE Bug 1226181
Описание
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.
Затронутые продукты
Ссылки
- CVE-2024-35242
- SUSE Bug 1226182