-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3838-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb June 19, 2024 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : composer Version : 1.8.4-1+deb10u4 CVE IDs : CVE-2024-35241 CVE-2024-35242 Debian Bugs : 1073125 1073126 It was discovered that there were a number of command-line injection vulnerabilities in Composer, a popular dependency manager for PHP. The 'install', 'status', 'reinstall' and 'remove' functionality had issues when used with Git or Hg repositories which used maliciously- crafted branch names, which could have been abused to execute arbitrary shell commands. For Debian 10 buster, this problem has been fixed in version 1.8.4-1+deb10u4. We recommend that you upgrade your composer packages. For the detailed security status of composer please refer to its security tracker page at: https://security-tracker.debian.org/tracker/composer Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmZzLaEACgkQHpU+J9Qx HlilxRAAuLkSbP9PXBiPlxx/QuVX0wBRmkGESfxptKfP5MC1S2To8Itm03eTq9c6 N7vQi93xpxt6Xldji9Fuo+iK3j6iXS2oVCeuuij7kqmAkhGL9DeeK09rP5X/XJ3b t9IWu7UWlBh79rWco/3hRFXs6qSJrwxEpJXQkeFKyDEOqAaNkHsvclZQcIYknOML xQhkHGN8bdxrwhPhR7TmFoaUQpeHf31O7D4NW9zDyPcs3ePhqrTuUY9vQUJSe56L 1fQa6d1PM+TacfUkV344yPOJFqpfLFRdthloi/LstENAZ6K9eWbZwINnh8JNaoOP /LigyI3qqiw/EYR8ViLUskBP1r4bfuGroSdqSjA4933fagsingkrr/77XRXs9twF 4SME9d/fapR+s6NcZs9Q+bA495Edn8jZgt1R4oq1NPRU5atPykdM1RTZ8oWJudf0 jTk9AXmQ1ggRAisEZQxf8ToVk0PWZkQCxr/w7ah+Zdm4ILQGtekiR92Kfs5+GS9R BEwB2VBmBnZW4v/8OQSrWvESb2sk1tsQXPfEaR4bXoMhNwh9CMLeTDylmWdWIQZ/ /dW++7nZxxMCYCcjPwA3xnQptbWk5izufoObxOh3zThuroCaTRainxd6ZKajBcw0 c0tjh84XCpRsdGfzPRckjtlLFDBSGNX4ItJpcHO9ff9pA4VZvaY= =hFRs -----END PGP SIGNATURE-----
