Your message dated Wed, 19 Jun 2024 18:32:34 +0000
with message-id <e1sk06k-006cpd...@fasolo.debian.org>
and subject line Bug#1073126: fixed in composer 2.0.9-2+deb11u3
has caused the Debian Bug report #1073126,
regarding composer: CVE-2024-35242: Multiple command injections via malicious
git/hg branch names
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1073126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073126
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: composer
Version: 2.7.6-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for composer.
CVE-2024-35242[0]:
| Composer is a dependency manager for PHP. On the 2.x branch prior to
| versions 2.2.24 and 2.7.7, the `composer install` command running
| inside a git/hg repository which has specially crafted branch names
| can lead to command injection. This requires cloning untrusted
| repositories. Patches are available in version 2.2.24 for 2.2 LTS or
| 2.7.7 for mainline. As a workaround, avoid cloning potentially
| compromised repositories.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-35242
https://www.cve.org/CVERecord?id=CVE-2024-35242
[1] https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: composer
Source-Version: 2.0.9-2+deb11u3
Done: David Prévot <taf...@debian.org>
We believe that the bug you reported is fixed in the latest version of
composer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1073...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated composer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 14 Jun 2024 13:46:22 +0200
Source: composer
Architecture: source
Version: 2.0.9-2+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Closes: 1073125 1073126
Changes:
composer (2.0.9-2+deb11u3) bullseye-security; urgency=medium
.
* Include security fixes from 2.7.7
- Multiple command injections via malicious git/hg branch names
(GHSA-v9qv-c7wm-wgmf) [CVE-2024-35242] (Closes: #1073126)
- Command injection via malicious git branch name
(GHSA-47f6-5gq3-vx9c) [CVE-2024-35241] (Closes: #1073125)
Checksums-Sha1:
17ba234703d3d01ca4ea79e46a6a6238c1bc21b4 2103 composer_2.0.9-2+deb11u3.dsc
97be85e2cf972b932ba1ac9c7c40b2eb3ea40a49 31024
composer_2.0.9-2+deb11u3.debian.tar.xz
0147cb28c9eb59068543732aa067d5557983a2a2 9586
composer_2.0.9-2+deb11u3_amd64.buildinfo
Checksums-Sha256:
25eb7151832b8d66ba431bac76c43bee035d888c705bd87eb3266f547633e865 2103
composer_2.0.9-2+deb11u3.dsc
9b698296975118a00ad7c80ccae6025c4de0b62fdea46a0d7d6e9d67c2ecf416 31024
composer_2.0.9-2+deb11u3.debian.tar.xz
0e6f4c5cd3a571c84220cbd36f4a7560e8bc330d1e1f802fe15544e544ded9d8 9586
composer_2.0.9-2+deb11u3_amd64.buildinfo
Files:
2afd26b459e781b0719942725e97c27b 2103 php optional composer_2.0.9-2+deb11u3.dsc
8decf869c99ca9fb1113a0e41464eca9 31024 php optional
composer_2.0.9-2+deb11u3.debian.tar.xz
250778ed040f42dac1dd96466bfcdf8d 9586 php optional
composer_2.0.9-2+deb11u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmZwH3ISHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08VtwH/046SKe+DhI2Lj7Xtdc0niO888mtDzva
VgFo6FfnIfRYIqyMuGNEWXy9w0bFJFBmDU/OCWNlzq09k4gRVtpoXelnxbhko+Fn
Abn6eBNu81OzKG/8AvOoDnlC0MKhbAxjLaCp/cVWe683YjRzR6Wg8Zzy+VkBopgJ
DJpE7PTOQlJiCuExquFeRLeDOp4Nf3TWb35zfWD+pWjskJUJja4c3nmUkYFBZS9e
WQ6Ooyw6JpHv1LnjZHIC3uQNJRl3KdXPXpGGIboVlpVQtbuQSSjoTxizolIDPno0
fLa0ooiYDN6wGBpTryYEKSeaIMNXM7LwIBY1AaxN8ckExeRQKHg6wx4=
=Yw/i
-----END PGP SIGNATURE-----
pgpMeJm52d01v.pgp
Description: PGP signature
--- End Message ---
