Source: composer Version: 2.7.6-3 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for composer. CVE-2024-35242[0]: | Composer is a dependency manager for PHP. On the 2.x branch prior to | versions 2.2.24 and 2.7.7, the `composer install` command running | inside a git/hg repository which has specially crafted branch names | can lead to command injection. This requires cloning untrusted | repositories. Patches are available in version 2.2.24 for 2.2 LTS or | 2.7.7 for mainline. As a workaround, avoid cloning potentially | compromised repositories. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35242 https://www.cve.org/CVERecord?id=CVE-2024-35242 [1] https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf Please adjust the affected versions in the BTS as needed. Regards, Salvatore
