Your message dated Wed, 19 Jun 2024 18:17:09 +0000
with message-id <e1sjzrp-006zps...@fasolo.debian.org>
and subject line Bug#1073125: fixed in composer 2.5.5-1+deb12u2
has caused the Debian Bug report #1073125,
regarding composer: CVE-2024-35241: Command injection via malicious git branch
name
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1073125: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073125
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: composer
Version: 2.7.6-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for composer.
CVE-2024-35241[0]:
| Composer is a dependency manager for PHP. On the 2.x branch prior to
| versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove`
| commands with packages installed from source via git containing
| specially crafted branch names in the repository can be used to
| execute code. Patches for this issue are available in version 2.2.24
| for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing
| dependencies via git by using `--prefer-dist` or the `preferred-
| install: dist` config setting.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-35241
https://www.cve.org/CVERecord?id=CVE-2024-35241
[1] https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: composer
Source-Version: 2.5.5-1+deb12u2
Done: David Prévot <taf...@debian.org>
We believe that the bug you reported is fixed in the latest version of
composer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1073...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated composer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 14 Jun 2024 08:01:19 +0200
Source: composer
Architecture: source
Version: 2.5.5-1+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Closes: 1073125 1073126
Changes:
composer (2.5.5-1+deb12u2) bookworm-security; urgency=medium
.
* Include security fixes from 2.7.7:
- Multiple command injections via malicious git/hg branch names
(GHSA-v9qv-c7wm-wgmf) [CVE-2024-35242] (Closes: #1073126)
- Command injection via malicious git branch name
(GHSA-47f6-5gq3-vx9c) [CVE-2024-35241] (Closes: #1073125)
Checksums-Sha1:
304cf6eca620fbf34ce802cc09a3f27490feeadd 2391 composer_2.5.5-1+deb12u2.dsc
54503e38a0659af490a8a791d30580c5521e03bc 20152
composer_2.5.5-1+deb12u2.debian.tar.xz
86356bbc66f52aefdf4f1552a0c8c59e063ee307 9467
composer_2.5.5-1+deb12u2_amd64.buildinfo
Checksums-Sha256:
b11887416eea5f358eaf2ec8875eb83d984dd4d65f747af621c89d4d7bc4377c 2391
composer_2.5.5-1+deb12u2.dsc
2cb597ed19127e1c1ed35de749f282f68a2ab228ddd9155f5a0ecb95f06ce96b 20152
composer_2.5.5-1+deb12u2.debian.tar.xz
7be89f57557f8fb4828c2f668b04e83e4fd1904343d0b6bbe698ca7d91fab3d0 9467
composer_2.5.5-1+deb12u2_amd64.buildinfo
Files:
add278e1bb46637b6c70a7b310b45f0e 2391 php optional composer_2.5.5-1+deb12u2.dsc
dddb4e340e9235718071b7641d948407 20152 php optional
composer_2.5.5-1+deb12u2.debian.tar.xz
525368e7ff656c7ca691192b6857843e 9467 php optional
composer_2.5.5-1+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmZwH3ISHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08SGUH/2JC5oOPBBhN7OTtXeiiT4jTix02EvoC
cTijWdwH+30vKLMkZoSAMX7TLEuvlwuSoZCP7OKxFwLe89zwmvlA1aeXv013Azzj
eRHf6MmMb641DzpuDYcjBM1zD11V/xMgPkzVVubgQgxSHlcFKToBr9EDeay/B/rC
dBnvQ6gy+pC0RtppQT9UD+BLiVph7w7RzyvpEXqq69zQZeN40WZAtcEmRwh3logy
4sCVkM7AY2J3RqZ8JhNRjwbauPaE7vOG4xmdfckcDv0tOvzjLOQev3VAtYGMLCwS
fj1AQu8CH+yIcMpIEAgpQqzvaqwedh6Wv9SZAs6OzP5mOC5rUd7aECI=
=0bkr
-----END PGP SIGNATURE-----
pgp8daCtkZ1ge.pgp
Description: PGP signature
--- End Message ---
