Composer 2.7.7 (Security)

E

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
943
Location
🇳🇱

This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.​

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
  • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
  • Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b958)
  • Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67)
  • Security: Fixed perforce argument escaping (3773f77)
  • Security: Fixed handling of zip bombs when extracting archives (de5f7e3)
  • Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion, reported by Splitline Huang (3130a74, 04a63b3)
  • Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
  • Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
  • Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
  • Fixed ability for config command to remove autoload keys (#11967)
  • Fixed empty type support in init command (#11999)
  • Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
  • Fixed regression showing network errors on PHP <8.1 (#11974)
  • Fixed some color bleed from a few warnings (#11972)

Today we’re releasing Composer 2.7.7 (PHP 7.2+) and 2.2.24 (LTS for use on PHP 5.3 to 7.1) to address two security vulnerabilities as well as a number of smaller security hardening measures, please update to the new versions immediately (e.g. with composer self-update ).

blog.packagist.com

Composer 2.7.7 & Security Audit by Cure53 funded by Alpha-Omega

Today we’re releasing Composer 2.7.7 (PHP 7.2+) and 2.2.24 (LTS for use on PHP 5.3 to 7.1) to address two security vulnerabilities as well as a number of smaller security hardening measures, please update to the new versions immediately (e.g. with
blog.packagist.com blog.packagist.com
 
Last edited:
You must log in or register to reply here.
Back
Top