stable

composer-2.7.7-1.fc40

FEDORA-2024-9ed24c98cd created by remi 9 months ago for Fedora 40

Version 2.7.7 2024-06-10

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
  • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
  • Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
  • Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
  • Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
  • Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
  • Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
  • Fixed perforce argument escaping (3773f775)
  • Fixed handling of zip bombs when extracting archives (de5f7e32)
  • Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)
  • Fixed ability for config command to remove autoload keys (#11967)
  • Fixed empty type support in init command (#11999)
  • Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
  • Fixed regression showing network errors on PHP <8.1 (#11974)
  • Fixed some color bleed from a few warnings (#11972)

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-9ed24c98cd

This update has been submitted for testing by remi.

9 months ago

This update's test gating status has been changed to 'ignored'.

9 months ago
User Icon imabug provided feedback 9 months ago
karma

This update has been pushed to testing.

9 months ago

remi edited this update.

9 months ago

remi edited this update.

9 months ago

remi edited this update.

9 months ago

This update has been submitted for stable by bodhi.

9 months ago

This update has been pushed to stable.

9 months ago

Please login to add feedback.

Metadata
Type
security
Severity
low
Karma
1
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
9 months ago
in testing
9 months ago
in stable
9 months ago
modified
9 months ago
approved
9 months ago
Builds
1
composer-2.7.7-1.fc40
BZ#2291429 CVE-2024-35242 composer: crafted branch names can lead to command injection
0
0
BZ#2291430 CVE-2024-35241 composer: crafted branch names in the repository can be used to execute code
0
0
BZ#2291431 CVE-2024-35241 composer: crafted branch names in the repository can be used to execute code [fedora-all]
0
0
BZ#2291433 CVE-2024-35242 composer: crafted branch names can lead to command injection [fedora-all]
0
0
composer-2.7.7-1.fc40

Automated Test Results

Copyright © 2007-2025 Red Hat, Inc. and others.

Running bodhi-server 8.3.0 on bodhi-web-177-5f7kl.

bodhi is Free Software. Please file issues if you have any problems. Read the documentation.

Composes Legal Privacy policy