Security update for php-composer2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2107-1 Final 1 1 2024-06-20T15:33:36Z current 2024-06-20T15:33:36Z 2024-06-20T15:33:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for php-composer2 This update for php-composer2 fixes the following issues: - CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted branch names (bsc#1226181). - CVE-2024-35242: Fixed command injection via specially crafted branch names during repository cloning (bsc#1226182). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/php-apache:latest-2024-2107,Container bci/php-fpm:latest-2024-2107,Container bci/php:latest-2024-2107,SUSE-2024-2107,SUSE-SLE-Module-Web-Scripting-15-SP6-2024-2107,openSUSE-SLE-15.6-2024-2107 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242107-1/ Link for SUSE-SU-2024:2107-1 https://lists.suse.com/pipermail/sle-security-updates/2024-June/018769.html E-Mail link for SUSE-SU-2024:2107-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1226181 SUSE Bug 1226181 https://bugzilla.suse.com/1226182 SUSE Bug 1226182 https://www.suse.com/security/cve/CVE-2024-35241/ SUSE CVE CVE-2024-35241 page https://www.suse.com/security/cve/CVE-2024-35242/ SUSE CVE CVE-2024-35242 page Container bci/php-apache:latest Container bci/php-fpm:latest Container bci/php:latest SUSE Linux Enterprise Module for Web and Scripting 15 SP6 openSUSE Leap 15.6 php-composer2-2.6.4-150600.3.3.1 php-composer2-2.6.4-150600.3.3.1 as a component of Container bci/php-apache:latest php-composer2-2.6.4-150600.3.3.1 as a component of Container bci/php-fpm:latest php-composer2-2.6.4-150600.3.3.1 as a component of Container bci/php:latest php-composer2-2.6.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 php-composer2-2.6.4-150600.3.3.1 as a component of openSUSE Leap 15.6 Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting. CVE-2024-35241 Container bci/php-apache:latest:php-composer2-2.6.4-150600.3.3.1 Container bci/php-fpm:latest:php-composer2-2.6.4-150600.3.3.1 Container bci/php:latest:php-composer2-2.6.4-150600.3.3.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1 openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242107-1/ https://www.suse.com/security/cve/CVE-2024-35241.html CVE-2024-35241 https://bugzilla.suse.com/1226181 SUSE Bug 1226181 Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories. CVE-2024-35242 Container bci/php-apache:latest:php-composer2-2.6.4-150600.3.3.1 Container bci/php-fpm:latest:php-composer2-2.6.4-150600.3.3.1 Container bci/php:latest:php-composer2-2.6.4-150600.3.3.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1 openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242107-1/ https://www.suse.com/security/cve/CVE-2024-35242.html CVE-2024-35242 https://bugzilla.suse.com/1226182 SUSE Bug 1226182