Your message dated Sat, 10 Feb 2024 13:11:21 +0000 with message-id <e1ryn8b-001ebe...@fasolo.debian.org> and subject line Bug#1063603: fixed in composer 2.7.1-1 has caused the Debian Bug report #1063603, regarding composer: CVE-2024-24821 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1063603: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063603 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: composer Version: 2.6.6-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for composer. CVE-2024-24821[0]: | Composer is a dependency Manager for the PHP language. In affected | versions several files within the local working directory are | included during the invocation of Composer and in the context of the | executing user. As such, under certain conditions arbitrary code | execution may lead to local privilege escalation, provide lateral | user movement or malicious code execution when Composer is invoked | within a directory with tampered files. All Composer CLI commands | are affected, including composer.phar's self-update. The following | scenarios are of high risk: Composer being run with sudo, Pipelines | which may execute Composer on untrusted projects, Shared | environments with developers who run Composer individually on the | same project. This vulnerability has been addressed in versions | 2.7.0 and 2.2.23. It is advised that the patched versions are | applied at the earliest convenience. Where not possible, the | following should be addressed: Remove all sudo composer privileges | for all users to mitigate root privilege escalation, and avoid | running Composer within an untrusted directory, or if needed, verify | that the contents of `vendor/composer/InstalledVersions.php` and | `vendor/composer/installed.php` do not include untrusted code. A | reset can also be done on these files by the following:```sh rm | vendor/composer/installed.php vendor/composer/InstalledVersions.php | composer install --no-scripts --no-plugins ``` If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24821 https://www.cve.org/CVERecord?id=CVE-2024-24821 [1] https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h [2] https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: composer Source-Version: 2.7.1-1 Done: David Prévot <taf...@debian.org> We believe that the bug you reported is fixed in the latest version of composer, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1063...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. David Prévot <taf...@debian.org> (supplier of updated composer package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 10 Feb 2024 11:18:19 +0100 Source: composer Architecture: source Version: 2.7.1-1 Distribution: unstable Urgency: medium Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org> Changed-By: David Prévot <taf...@debian.org> Closes: 1061291 1063603 Changes: composer (2.7.1-1) unstable; urgency=medium . [ Jordi Boggiano ] * Merge pull request from GHSA-7c6p-848j-wh5h [CVE-2024-24821] (Closes: #1063603) * Release 2.7.1 . [ David Prévot ] * Extend recommended packages list (Closes: #1061291) Checksums-Sha1: 2bb260346e20febbb761adf104fbe8bad497b8c7 2319 composer_2.7.1-1.dsc 2ca791fcbda58871f8c99993f2067c5aff50a99f 656568 composer_2.7.1.orig.tar.xz 900c8ce598b05a97079154f7b074f72429917a75 14828 composer_2.7.1-1.debian.tar.xz 2a086c71a8aee3b24e6fe14d40f9d1e52980dcd4 9780 composer_2.7.1-1_amd64.buildinfo Checksums-Sha256: 23efd15fbe114f027d680cd033414d8457828e65b01d369a8d73aa46489493a9 2319 composer_2.7.1-1.dsc f5b6f31279976d5f7a7a94549919fdeb5ae93441f301106c2e00863a554401f3 656568 composer_2.7.1.orig.tar.xz 823b8a26ffcc9ce8e3d93eae611e1843ad0529280e50d53d0b526b76a29fb4f9 14828 composer_2.7.1-1.debian.tar.xz 56ca7728c4bd037b739041d6d58fc5eb859a5660ce9ce67b93229de06a136aae 9780 composer_2.7.1-1_amd64.buildinfo Files: b55f58eee9d4b011dadc6735bc1f9345 2319 php optional composer_2.7.1-1.dsc 84d2ce883c00f0cd5f122087d960dde5 656568 php optional composer_2.7.1.orig.tar.xz 002420de756501167af182c8e3c91479 14828 php optional composer_2.7.1-1.debian.tar.xz 9f429bf5517dfd2795d97d28becc56f5 9780 php optional composer_2.7.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmXHVNMSHHRhZmZpdEBk ZWJpYW4ub3JnAAoJEAWMHPlE9r08R/wH/0TeDE8xTEtQngn7jpDB5zAi93JvoKCb F1QPZQsjMWOSuOsS4S9XYaW5ppXuMrxFlmzJC9jXgILzwtiMK6tJzZuT9ttdWGu6 ZicnPG7DAuEhgw8Id3QEZBKpnf7h6Gw2yl3fvy5ZRI35aKnrJuAk/5LFSCJxeBQK chsZpjUuzW7CwpWYllK7tQsUl2Swsd1jnF1wzhKbGTqK6QJtoDCwrNc/lVhDwYet zhrIwA2GOfYYXCwUsxFVexkuW9fIhcEKltFhDXLxKqigNUa4+E7+70LMa+9ipadZ t3nnIHJSJ1UUoWiHV5FGdFG2nTTHrvKy3RWmyv4a2eZ/LWCs0b3Wnyk= =7Ky8 -----END PGP SIGNATURE-----
--- End Message ---
