Source: composer Version: 2.7.6-3 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for composer. CVE-2024-35241[0]: | Composer is a dependency manager for PHP. On the 2.x branch prior to | versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` | commands with packages installed from source via git containing | specially crafted branch names in the repository can be used to | execute code. Patches for this issue are available in version 2.2.24 | for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing | dependencies via git by using `--prefer-dist` or the `preferred- | install: dist` config setting. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35241 https://www.cve.org/CVERecord?id=CVE-2024-35241 [1] https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c Please adjust the affected versions in the BTS as needed. Regards, Salvatore
