Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2022:0132-1

Опубликовано: 10 мая 2022
Источник: suse-cvrf

Описание

Security update for php-composer

This update for php-composer fixes the following issues:

php-composer was updated to version 1.10.26:

  • Security: Fixed command injection vulnerability in HgDriver/GitDriver: CVE-2022-24828 boo#1198494

Update to version 1.10.25

  • Fix regression with PHP 8.1.0 and 8.1.1

Update to version 1.10.24

  • Fixed PHP 8.1 compatibility

Update to version 1.10.23

  • Security: Fixed command injection vulnerability CVE-2021-41116

Список пакетов

SUSE Package Hub 15 SP3
php-composer-1.10.26-bp153.2.6.1
openSUSE Leap 15.3
php-composer-1.10.26-bp153.2.6.1

Ссылки

Описание

Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue.

Затронутые продукты
SUSE Package Hub 15 SP3:php-composer-1.10.26-bp153.2.6.1
openSUSE Leap 15.3:php-composer-1.10.26-bp153.2.6.1
Ссылки

Описание

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.

Затронутые продукты
SUSE Package Hub 15 SP3:php-composer-1.10.26-bp153.2.6.1
openSUSE Leap 15.3:php-composer-1.10.26-bp153.2.6.1
Ссылки