Control: retitle 1134502 trixie-pu: package composer/2.8.8-1+deb13u Control: retitle 1134503 bookworm-pu: package composer/2.5.5-1+deb12u4
Hi David, On Tue, Apr 21, 2026 at 12:14:30AM +0200, David Prévot wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: [email protected] > Control: affects -1 + src:composer > User: [email protected] > Usertags: pu > > Hi, > > As agreed with the security team, I’d like to get CVE-2026-40261 and > CVE-2026-40261 fixed via an upcoming point release. The changes are > limited, and only about a niche feature. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > Thanks in advance, > > Regards, > > taffit > diff -Nru composer-2.8.8/debian/changelog composer-2.8.8/debian/changelog > --- composer-2.8.8/debian/changelog 2025-12-30 16:35:23.000000000 +0100 > +++ composer-2.8.8/debian/changelog 2026-04-15 10:50:08.000000000 +0200 > @@ -1,3 +1,12 @@ > +composer (2.8.8-1+deb13u2) trixie; urgency=medium > + > + * Fix command injection via malicious Perforce repository definition > + [CVE-2026-40261] > + * Fix command injection via malicious Perforce source reference/url > + [CVE-2026-40176] > + > + -- David Prévot <[email protected]> Wed, 15 Apr 2026 10:50:08 +0200 It looks some metadata got swapped (just the subject afaics, adjusting). Regards, Salvatore
