Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.
Patches
2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.
Workarounds
Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.
Release Notes
composer/composer (composer/composer)
### [`v2.6.4`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#264-2023-09-29)
[Compare Source](https://togithub.com/composer/composer/compare/2.6.3...2.6.4)
- Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
- Fixed json output of abandoned packages in audit command ([#11647](https://togithub.com/composer/composer/issues/11647))
- Performance improvement in pool optimization step ([#11638](https://togithub.com/composer/composer/issues/11638))
- Performance improvement in `show -a ` ([#11659](https://togithub.com/composer/composer/issues/11659))
### [`v2.6.3`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#263-2023-09-15)
[Compare Source](https://togithub.com/composer/composer/compare/2.6.2...2.6.3)
- Added audit.abandoned config setting. Can be set to `ignore`, `report` (current default) or `fail` (future default in 2.7) to make the audit command report abandoned packages as a security problem ([#11639](https://togithub.com/composer/composer/issues/11639))
- Added a warning when duplicates `files` autoload rules are detected ([#11109](https://togithub.com/composer/composer/issues/11109))
- Fixed unhandled promise rejection regression ([#11620](https://togithub.com/composer/composer/issues/11620))
- Fixed loading of root aliases on path repo packages when doing partial updates ([#11632](https://togithub.com/composer/composer/issues/11632))
- Fixed `archive` command not producing the correct output if the temp dir is a symlink ([#11636](https://togithub.com/composer/composer/issues/11636))
- Fixed some replaced packages being incorrectly missing when unlocked in a partial update ([#11629](https://togithub.com/composer/composer/issues/11629))
### [`v2.6.2`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#262-2023-09-03)
[Compare Source](https://togithub.com/composer/composer/compare/2.6.1...2.6.2)
- Reverted "Fixed binary proxies causing scripts inspecting `$_SERVER['SCRIPT_NAME']` to detect them, they are now more transparent ([#11562](https://togithub.com/composer/composer/issues/11562))" which caused a regression ([#11617](https://togithub.com/composer/composer/issues/11617))
- Fixed non-zero exit code on failed audits to only apply to `install --audit` runs and not implicit audits with `require`, `create-project` or `update` commands ([#11616](https://togithub.com/composer/composer/issues/11616))
- Fixed `create-project` infinite post-install loop in some circumstances ([#11613](https://togithub.com/composer/composer/issues/11613))
### [`v2.6.1`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#261-2023-09-01)
[Compare Source](https://togithub.com/composer/composer/compare/2.6.0...2.6.1)
- Reverted "Fixed executability of non-php binaries which are not marked executable ([#11557](https://togithub.com/composer/composer/issues/11557))" which caused a regression ([#11612](https://togithub.com/composer/composer/issues/11612))
### [`v2.6.0`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#260-2023-09-01)
[Compare Source](https://togithub.com/composer/composer/compare/2.5.8...2.6.0)
- Added audit.ignore config setting to ignore security advisories by id or CVE id ([#11556](https://togithub.com/composer/composer/issues/11556), [#11605](https://togithub.com/composer/composer/issues/11605))
- Added `rm` alias to the `remove` command ([#11367](https://togithub.com/composer/composer/issues/11367))
- Added runtime platform check to verify the php-64bit requirement is met ([#11334](https://togithub.com/composer/composer/issues/11334))
- Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka ([#11418](https://togithub.com/composer/composer/issues/11418))
- Added `--dry-run` to `dump-autoload` command to allow running --strict-psr checks without modifying the filesystem ([#11608](https://togithub.com/composer/composer/issues/11608))
- Added support for `bump`ing patch level in `~1.2.3` constraints ([#11590](https://togithub.com/composer/composer/issues/11590))
- Added prompt in `require` if the package name is not found but similar ones exist ([#11284](https://togithub.com/composer/composer/issues/11284))
- Added support for env vars and `~` in repository paths for vcs and artifact repositories ([#11453](https://togithub.com/composer/composer/issues/11453))
- Added support for local directory paths for repositories of type `composer` ([#11526](https://togithub.com/composer/composer/issues/11526))
- Added links to package homepages in `why`/`why-not` command output ([#11308](https://togithub.com/composer/composer/issues/11308))
- Added a `security` key to the `support` key of composer.json to set the URL to the vulnerability disclosure policy ([#11271](https://togithub.com/composer/composer/issues/11271))
- Added support for gathering security advisories from multiple repositories for a single package ([#11436](https://togithub.com/composer/composer/issues/11436))
- Fixed `install` exit code to be non-zero (5) if a requested security audit failed ([#11362](https://togithub.com/composer/composer/issues/11362))
- \~~Fixed binary proxies causing scripts inspecting `$_SERVER['SCRIPT_NAME']` to detect them, they are now more transparent ([#11562](https://togithub.com/composer/composer/issues/11562))~~ (Reverted in 2.6.2)
- \~~Fixed executability of non-php binaries which are not marked executable ([#11557](https://togithub.com/composer/composer/issues/11557))~~ (Reverted in 2.6.1)
- Fixed `mtime` modification of the vendor dir to only happen when packages are modified, and not require lock file modification to happen ([#11593](https://togithub.com/composer/composer/issues/11593))
- Fixed `create-project` using the wrong composer.json file if one was set via the `COMPOSER` env var ([#11493](https://togithub.com/composer/composer/issues/11493))
- Fixed json editing to preserve indentation when updating json files ([#11390](https://togithub.com/composer/composer/issues/11390))
- Fixed handling of broken junctions on windows ([#11550](https://togithub.com/composer/composer/issues/11550))
- Fixed parsing of lib-curl-openssl version with OSX SecureTransport ([#11534](https://togithub.com/composer/composer/issues/11534))
- Fixed svn repo parsing in some edge cases ([#11350](https://togithub.com/composer/composer/issues/11350))
- Fixed handling of archive URLs without file extension ([#11520](https://togithub.com/composer/composer/issues/11520))
- Performance improvement in pool optimization step ([#11449](https://togithub.com/composer/composer/issues/11449), [#11450](https://togithub.com/composer/composer/issues/11450))
### [`v2.5.8`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#258-2023-06-09)
[Compare Source](https://togithub.com/composer/composer/compare/2.5.7...2.5.8)
- Fixed regression in edge cases where root package gets added to a repository already during the install process ([#11495](https://togithub.com/composer/composer/issues/11495))
- Fixed EventDispatcher on windows picking bat files when using "[@php](https://togithub.com/php) binary" ([#11490](https://togithub.com/composer/composer/issues/11490))
- Fixed ICU CLDR version parsing failing the whole process when ICU cannot initialize the resource bundle ([#11492](https://togithub.com/composer/composer/issues/11492))
- Fixed type declarations on ClassLoader ([#11500](https://togithub.com/composer/composer/issues/11500))
### [`v2.5.7`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#257-2023-05-24)
[Compare Source](https://togithub.com/composer/composer/compare/2.5.6...2.5.7)
- Fixed regression preventing autoloading the dependencies of metapackages when running --no-dev ([#11481](https://togithub.com/composer/composer/issues/11481))
### [`v2.5.6`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#256-2023-05-24)
[Compare Source](https://togithub.com/composer/composer/compare/2.5.5...2.5.6)
- BC Warning: Installers and `InstallationManager::getInstallPath` will now return `null` instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely ([#11455](https://togithub.com/composer/composer/issues/11455))
- Fixed metapackages showing their install path as the root package's path instead of empty ([#11455](https://togithub.com/composer/composer/issues/11455))
- Fixed lock file verification on `install` to deal better with `replace`/`provide` ([#11475](https://togithub.com/composer/composer/issues/11475))
- Fixed lock file having a more recent modification time than the vendor dir when `require` guesses the constraint after resolution ([#11405](https://togithub.com/composer/composer/issues/11405))
- Fixed numeric default branches with a `v` prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would ([`e51d755`](https://togithub.com/composer/composer/commit/e51d755a08))
- Fixed binary proxies not being transparent when included by another PHP process and returning a value ([#11454](https://togithub.com/composer/composer/issues/11454))
- Fixed support for plugin classes being marked as `readonly` ([#11404](https://togithub.com/composer/composer/issues/11404))
- Fixed `getmypid` being required as it is not always available ([#11401](https://togithub.com/composer/composer/issues/11401))
- Fixed authentication issue when downloading several files from private Bitbucket in parallel ([#11464](https://togithub.com/composer/composer/issues/11464))
### [`v2.5.5`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#255-2023-03-21)
[Compare Source](https://togithub.com/composer/composer/compare/2.5.4...2.5.5)
- Fixed basic auth failures resulting in infinite retry loop ([#11320](https://togithub.com/composer/composer/issues/11320))
- Fixed GitHub rate limit reporting ([#11366](https://togithub.com/composer/composer/issues/11366))
- Fixed InstalledVersions error in Composer 1 compatibility edge case ([#11304](https://togithub.com/composer/composer/issues/11304))
- Fixed issue displaying solver problems with branch names containing `%` signs ([#11359](https://togithub.com/composer/composer/issues/11359))
- Fixed race condition in cache validity detection when running Composer highly concurrently ([#11375](https://togithub.com/composer/composer/issues/11375))
- Fixed various minor config command issues ([#11353](https://togithub.com/composer/composer/issues/11353), [#11302](https://togithub.com/composer/composer/issues/11302))
### [`v2.5.4`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#254-2023-02-15)
[Compare Source](https://togithub.com/composer/composer/compare/2.5.3...2.5.4)
- Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks ([#11318](https://togithub.com/composer/composer/issues/11318))
### [`v2.5.3`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#253-2023-02-10)
[Compare Source](https://togithub.com/composer/composer/compare/2.5.2...2.5.3)
- Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive ([#11315](https://togithub.com/composer/composer/issues/11315))
### [`v2.5.2`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#252-2023-02-04)
[Compare Source](https://togithub.com/composer/composer/compare/2.5.1...2.5.2)
- Added warning when `require` auto-selects a feature branch as that is probably not desired ([#11270](https://togithub.com/composer/composer/issues/11270))
- Fixed `self.version` requirements reporting lock file integrity errors when changing branches ([#11283](https://togithub.com/composer/composer/issues/11283))
- Fixed `require` regression which broke the --fixed flag ([#11247](https://togithub.com/composer/composer/issues/11247))
- Fixed security audit reports loading when exclude/only filter rules are used on a repository ([#11281](https://togithub.com/composer/composer/issues/11281))
- Fixed autoloading regression on PHP 5.6 ([#11285](https://togithub.com/composer/composer/issues/11285))
- Fixed archive command including an existing archive into itself if run repeatedly ([#11239](https://togithub.com/composer/composer/issues/11239))
- Fixed dev package prompt in `require` not appearing in some conditions ([#11287](https://togithub.com/composer/composer/issues/11287))
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^2.5.1
->^2.6.4
GitHub Vulnerability Alerts
CVE-2023-43655
Impact
Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has
register_argc_argv
enabled in php.ini.Patches
2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.
Workarounds
Make sure
register_argc_argv
is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.Release Notes
composer/composer (composer/composer)
### [`v2.6.4`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#264-2023-09-29) [Compare Source](https://togithub.com/composer/composer/compare/2.6.3...2.6.4) - Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655) - Fixed json output of abandoned packages in audit command ([#11647](https://togithub.com/composer/composer/issues/11647)) - Performance improvement in pool optimization step ([#11638](https://togithub.com/composer/composer/issues/11638)) - Performance improvement in `show -aConfiguration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Read more about the use of Renovate Bot within
ocramius/*
projects.