[SECURITY] [DLA 3777-1] composer security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3777-1] composer security update
From: rouca@debian.org
Date: Wed, 27 Mar 2024 08:47:39 +0000
Message-id: <[🔎] 44e049a9992a54a5d28638311f3e5128.rouca@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3777-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
March 27, 2024                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : composer
Version        : 1.8.4-1+deb10u3
CVE ID         : CVE-2023-43655

Composer, an application-level dependency manager for the PHP
programming language was vulnerable.

CVE-2023-43655:

  Users publishing a composer.phar
  to a public web-accessible server where the composer.phar
  can be executed as a php file may be subject to a
  remote code execution vulnerability if PHP also has
  `register_argc_argv` enabled in php.ini

Moreover, a specific debian problem was fixed, and
autoload.php for composer imports depends
from /usr/share/php instead of trusting
path resolution.

For Debian 10 buster, this problem has been fixed in version
1.8.4-1+deb10u3.

We recommend that you upgrade your composer packages.

For the detailed security status of composer please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/composer

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmYD3SsRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF+zgQ/+Lr6iMFQeos09GU4QCC0X4qjJeurfB8/K
XVTnJH+oev2IPcKjiaJS8EZKsf25nw75m2+Qv9PX7b6yzysFICHGdjJgor+EL1AR
8hko8ofO01eW1kdu3FxexcOpQx8twl+bVWiDWHZRMm8rvZl5muyEpl/2BtwMLegr
2eA/6zFEmYQ64RsSkGATRDxfC6WIWsGI15LRxC7Sh/HD1AiGK9ScCNv6VD5v3z3X
K8q00WQo7uvM5b+wp21lf+zoBJOSCNM+TzRhzkGPd43FSx717r20OsPGiwPwrxgh
HmjUU1OWcbxwaZmb3RUSS2JRPGvP6nBXKwQ7B1Czkoh/YpZHqW7HBzvX2Gh6jK4I
WItOqzaJUDHAKWc9GcJrD6+LfOLD55nanEBQs5kRX43E95wVNZX1mATp547vaP6q
ujnYf6y3REhnWYuhuJHhyZ0cnOtNtSbYf0NiX8pUCkJw8BK/S+kWlMpRQCL8wl8R
Pn8WurzVarnMvV55VVyIhlliyVULChBmU5t21Ti4qPcoeUAkjWEp9c4IaKUg6yK7
AWbvA4Z6HD7FSYH5pXXlcMV5ZOzSZD53y1wv4Yd9ND8t+JHoqR0m+Y8LPp181Z4P
+dK6ZgUrOFv416L4oowE5wXumwd74gAHb91kgW3zrzWkFxCSt0w8mttMvlNkSOlL
J1d8YulyxoA=
=8ABe
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3776-1] nodejs security update
Previous by thread: [SECURITY] [DLA 3776-1] nodejs security update
Index(es):
- Date
- Thread