Security update for php-composer SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:0132-1 Final 1 1 2022-05-10T09:13:38Z current 2022-05-10T09:13:38Z 2022-05-10T09:13:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for php-composer This update for php-composer fixes the following issues: php-composer was updated to version 1.10.26: * Security: Fixed command injection vulnerability in HgDriver/GitDriver: CVE-2022-24828 boo#1198494 Update to version 1.10.25 * Fix regression with PHP 8.1.0 and 8.1.1 Update to version 1.10.24 * Fixed PHP 8.1 compatibility Update to version 1.10.23 * Security: Fixed command injection vulnerability CVE-2021-41116 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-132 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GK3MSPNLXNEQ4P7QF5ZJB6IK4W6YAUKM/ E-Mail link for openSUSE-SU-2022:0132-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1198494 SUSE Bug 1198494 https://www.suse.com/security/cve/CVE-2021-41116/ SUSE CVE CVE-2021-41116 page https://www.suse.com/security/cve/CVE-2022-24828/ SUSE CVE CVE-2022-24828 page SUSE Package Hub 15 SP3 openSUSE Leap 15.3 php-composer-1.10.26-bp153.2.6.1 php-composer-1.10.26-bp153.2.6.1 as a component of SUSE Package Hub 15 SP3 php-composer-1.10.26-bp153.2.6.1 as a component of openSUSE Leap 15.3 Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue. CVE-2021-41116 SUSE Package Hub 15 SP3:php-composer-1.10.26-bp153.2.6.1 openSUSE Leap 15.3:php-composer-1.10.26-bp153.2.6.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GK3MSPNLXNEQ4P7QF5ZJB6IK4W6YAUKM/ https://www.suse.com/security/cve/CVE-2021-41116.html CVE-2021-41116 https://bugzilla.suse.com/1191438 SUSE Bug 1191438 Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report. CVE-2022-24828 SUSE Package Hub 15 SP3:php-composer-1.10.26-bp153.2.6.1 openSUSE Leap 15.3:php-composer-1.10.26-bp153.2.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GK3MSPNLXNEQ4P7QF5ZJB6IK4W6YAUKM/ https://www.suse.com/security/cve/CVE-2022-24828.html CVE-2022-24828 https://bugzilla.suse.com/1198494 SUSE Bug 1198494