search

Ocramius / PackageVersions

:package: Composer addon to efficiently get installed packages' version numbers
MIT License
3.22k stars 67 forks source link

Update dependency composer/composer to ^2.7.7 [SECURITY] - autoclosed #255

Closed renovate[bot] closed 4 months ago

renovate[bot] commented 4 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
composer/composer (source) ^2.7.6 -> ^2.7.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-35241

Impact

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

CVE-2024-35242

Impact

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid cloning potentially compromised repositories.

Release Notes

composer/composer (composer/composer) ### [`v2.7.7`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#277-2024-06-10) [Compare Source](https://togithub.com/composer/composer/compare/2.7.6...2.7.7) - Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241) - Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242) - Security: Fixed secure-http checks that could be bypassed by using malformed URL formats ([`fa3b958`](https://togithub.com/composer/composer/commit/fa3b9582c)) - Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux ([`3c37a67`](https://togithub.com/composer/composer/commit/3c37a67c)) - Security: Fixed perforce argument escaping ([`3773f77`](https://togithub.com/composer/composer/commit/3773f775)) - Security: Fixed handling of zip bombs when extracting archives ([`de5f7e3`](https://togithub.com/composer/composer/commit/de5f7e32)) - Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion ([`3130a74`](https://togithub.com/composer/composer/commit/3130a7455), [`04a63b3`](https://togithub.com/composer/composer/commit/04a63b324)) - Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown ([#​11957](https://togithub.com/composer/composer/issues/11957)) - Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches ([#​12000](https://togithub.com/composer/composer/issues/12000)) - Fixed new platform requirements from composer.json not being checked if the lock file is outdated ([#​12001](https://togithub.com/composer/composer/issues/12001)) - Fixed ability for `config` command to remove autoload keys ([#​11967](https://togithub.com/composer/composer/issues/11967)) - Fixed empty `type` support in `init` command ([#​11999](https://togithub.com/composer/composer/issues/11999)) - Fixed git clone errors when `safe.bareRepository` is set to `strict` in the git config ([#​11969](https://togithub.com/composer/composer/issues/11969)) - Fixed regression showing network errors on PHP <8.1 ([#​11974](https://togithub.com/composer/composer/issues/11974)) - Fixed some color bleed from a few warnings ([#​11972](https://togithub.com/composer/composer/issues/11972))

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

Read more about the use of Renovate Bot within ocramius/* projects.