php-composer2-2.7.7-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14040-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z php-composer2-2.7.7-1.1 on GA media These are all security issues fixed in the php-composer2-2.7.7-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14040 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-35241/ SUSE CVE CVE-2024-35241 page https://www.suse.com/security/cve/CVE-2024-35242/ SUSE CVE CVE-2024-35242 page openSUSE Tumbleweed php-composer2-2.7.7-1.1 php-composer2-2.7.7-1.1 as a component of openSUSE Tumbleweed Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting. CVE-2024-35241 openSUSE Tumbleweed:php-composer2-2.7.7-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-35241.html CVE-2024-35241 https://bugzilla.suse.com/1226181 SUSE Bug 1226181 Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories. CVE-2024-35242 openSUSE Tumbleweed:php-composer2-2.7.7-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-35242.html CVE-2024-35242 https://bugzilla.suse.com/1226182 SUSE Bug 1226182