Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.
Patches
2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.
Workarounds
Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.
Release Notes
composer/composer (composer/composer)
### [`v2.6.4`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#264-2023-09-29)
[Compare Source](https://togithub.com/composer/composer/compare/2.6.3...2.6.4)
- Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
- Fixed json output of abandoned packages in audit command ([#11647](https://togithub.com/composer/composer/issues/11647))
- Performance improvement in pool optimization step ([#11638](https://togithub.com/composer/composer/issues/11638))
- Performance improvement in `show -a ` ([#11659](https://togithub.com/composer/composer/issues/11659))
### [`v2.6.3`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#263-2023-09-15)
[Compare Source](https://togithub.com/composer/composer/compare/2.6.2...2.6.3)
- Added audit.abandoned config setting. Can be set to `ignore`, `report` (current default) or `fail` (future default in 2.7) to make the audit command report abandoned packages as a security problem ([#11639](https://togithub.com/composer/composer/issues/11639))
- Added a warning when duplicates `files` autoload rules are detected ([#11109](https://togithub.com/composer/composer/issues/11109))
- Fixed unhandled promise rejection regression ([#11620](https://togithub.com/composer/composer/issues/11620))
- Fixed loading of root aliases on path repo packages when doing partial updates ([#11632](https://togithub.com/composer/composer/issues/11632))
- Fixed `archive` command not producing the correct output if the temp dir is a symlink ([#11636](https://togithub.com/composer/composer/issues/11636))
- Fixed some replaced packages being incorrectly missing when unlocked in a partial update ([#11629](https://togithub.com/composer/composer/issues/11629))
### [`v2.6.2`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#262-2023-09-03)
[Compare Source](https://togithub.com/composer/composer/compare/2.6.1...2.6.2)
- Reverted "Fixed binary proxies causing scripts inspecting `$_SERVER['SCRIPT_NAME']` to detect them, they are now more transparent ([#11562](https://togithub.com/composer/composer/issues/11562))" which caused a regression ([#11617](https://togithub.com/composer/composer/issues/11617))
- Fixed non-zero exit code on failed audits to only apply to `install --audit` runs and not implicit audits with `require`, `create-project` or `update` commands ([#11616](https://togithub.com/composer/composer/issues/11616))
- Fixed `create-project` infinite post-install loop in some circumstances ([#11613](https://togithub.com/composer/composer/issues/11613))
### [`v2.6.1`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#261-2023-09-01)
[Compare Source](https://togithub.com/composer/composer/compare/2.6.0...2.6.1)
- Reverted "Fixed executability of non-php binaries which are not marked executable ([#11557](https://togithub.com/composer/composer/issues/11557))" which caused a regression ([#11612](https://togithub.com/composer/composer/issues/11612))
### [`v2.6.0`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#260-2023-09-01)
[Compare Source](https://togithub.com/composer/composer/compare/2.5.8...2.6.0)
- Added audit.ignore config setting to ignore security advisories by id or CVE id ([#11556](https://togithub.com/composer/composer/issues/11556), [#11605](https://togithub.com/composer/composer/issues/11605))
- Added `rm` alias to the `remove` command ([#11367](https://togithub.com/composer/composer/issues/11367))
- Added runtime platform check to verify the php-64bit requirement is met ([#11334](https://togithub.com/composer/composer/issues/11334))
- Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka ([#11418](https://togithub.com/composer/composer/issues/11418))
- Added `--dry-run` to `dump-autoload` command to allow running --strict-psr checks without modifying the filesystem ([#11608](https://togithub.com/composer/composer/issues/11608))
- Added support for `bump`ing patch level in `~1.2.3` constraints ([#11590](https://togithub.com/composer/composer/issues/11590))
- Added prompt in `require` if the package name is not found but similar ones exist ([#11284](https://togithub.com/composer/composer/issues/11284))
- Added support for env vars and `~` in repository paths for vcs and artifact repositories ([#11453](https://togithub.com/composer/composer/issues/11453))
- Added support for local directory paths for repositories of type `composer` ([#11526](https://togithub.com/composer/composer/issues/11526))
- Added links to package homepages in `why`/`why-not` command output ([#11308](https://togithub.com/composer/composer/issues/11308))
- Added a `security` key to the `support` key of composer.json to set the URL to the vulnerability disclosure policy ([#11271](https://togithub.com/composer/composer/issues/11271))
- Added support for gathering security advisories from multiple repositories for a single package ([#11436](https://togithub.com/composer/composer/issues/11436))
- Fixed `install` exit code to be non-zero (5) if a requested security audit failed ([#11362](https://togithub.com/composer/composer/issues/11362))
- \~~Fixed binary proxies causing scripts inspecting `$_SERVER['SCRIPT_NAME']` to detect them, they are now more transparent ([#11562](https://togithub.com/composer/composer/issues/11562))~~ (Reverted in 2.6.2)
- \~~Fixed executability of non-php binaries which are not marked executable ([#11557](https://togithub.com/composer/composer/issues/11557))~~ (Reverted in 2.6.1)
- Fixed `mtime` modification of the vendor dir to only happen when packages are modified, and not require lock file modification to happen ([#11593](https://togithub.com/composer/composer/issues/11593))
- Fixed `create-project` using the wrong composer.json file if one was set via the `COMPOSER` env var ([#11493](https://togithub.com/composer/composer/issues/11493))
- Fixed json editing to preserve indentation when updating json files ([#11390](https://togithub.com/composer/composer/issues/11390))
- Fixed handling of broken junctions on windows ([#11550](https://togithub.com/composer/composer/issues/11550))
- Fixed parsing of lib-curl-openssl version with OSX SecureTransport ([#11534](https://togithub.com/composer/composer/issues/11534))
- Fixed svn repo parsing in some edge cases ([#11350](https://togithub.com/composer/composer/issues/11350))
- Fixed handling of archive URLs without file extension ([#11520](https://togithub.com/composer/composer/issues/11520))
- Performance improvement in pool optimization step ([#11449](https://togithub.com/composer/composer/issues/11449), [#11450](https://togithub.com/composer/composer/issues/11450))
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^2.4.4
->^2.6.4
GitHub Vulnerability Alerts
CVE-2023-43655
Impact
Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has
register_argc_argv
enabled in php.ini.Patches
2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.
Workarounds
Make sure
register_argc_argv
is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.Release Notes
composer/composer (composer/composer)
### [`v2.6.4`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#264-2023-09-29) [Compare Source](https://togithub.com/composer/composer/compare/2.6.3...2.6.4) - Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655) - Fixed json output of abandoned packages in audit command ([#11647](https://togithub.com/composer/composer/issues/11647)) - Performance improvement in pool optimization step ([#11638](https://togithub.com/composer/composer/issues/11638)) - Performance improvement in `show -aConfiguration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Read more information about the use of Renovate Bot within Laminas.