SUSE 5181 Published by

A php-composer security update has been released for openSUSE Leap 15.2, SUSE Linux Enterprise 15 SP1, SUSE Linux Enterprise 15 SP2, and SUSE Linux Enterprise 15 SP3.



openSUSE-SU-2021:1289-1: important: Security update for php-composer


openSUSE Security Update: Security update for php-composer
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:1289-1
Rating: important
References: #1185376 #1187416
Cross-References: CVE-2021-29472
CVSS scores:
CVE-2021-29472 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Leap 15.2
openSUSE Backports SLE-15-SP3
openSUSE Backports SLE-15-SP2
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for php-composer fixes the following issues:

- Require php-mbstring as requested in boo#1187416

- Version 1.10.22

* Security: Fixed command injection vulnerability in
HgDriver/HgDownloader and hardened other VCS drivers and downloaders
(GHSA-h5h8-pc6h-jvvx / CVE-2021-29472), boo#1185376

- Version 1.10.21

* Fixed support for new GitHub OAuth token format
* Fixed processes silently ignoring the CWD when it does not exist

- Version 1.10.20

* Fixed exclude-from-classmap causing regex issues when having too many
paths
* Fixed compatibility issue with Symfony 4/5

- Version 1.10.17

* Fixed Bitbucket API authentication issue
* Fixed parsing of Composer 2 lock files breaking in some rare conditions

- Version 1.10.16

* Added warning to validate command for cases where packages provide/
replace a package that they also require
* Fixed JSON schema validation issue with PHPStorm
* Fixed symlink handling in archive command

- Version 1.10.15

* Fixed path repo version guessing issue

- Version 1.10.14

* Fixed version guesser to look at remote branches as well as local
ones
* Fixed path repositories version guessing to handle edge cases where
version is different from the VCS-guessed version
* Fixed COMPOSER env var causing issues when combined with the global
command
* Fixed a few issues dealing with PHP without openssl extension (not
recommended at all but sometimes needed for testing)

- Version 1.10.13

* Fixed regressions with old version validation
* Fixed invalid root aliases not being reported

- Version 1.10.12

* Fixed regressions with old version validation

- Version 1.10.11

* Fixed more PHP 8 compatibility issues
* Fixed regression in handling of CTRL-C when xdebug is loaded
* Fixed status handling of broken symlinks

- Version 1.10.10

* Fixed create-project not triggering events while installing the root
package
* Fixed PHP 8 compatibility issue
* Fixed self-update to avoid automatically upgrading to the next major
version once it becomes stable

- Version 1.10.9

* Fixed Bitbucket redirect loop when credentials are outdated
* Fixed GitLab auth prompt wording
* Fixed self-update handling of files requiring admin permissions to
write to on Windows (it now does a UAC prompt)
* Fixed parsing issues in funding.yml files

- Version 1.10.8

* Fixed compatibility issue with git being configured to show signatures
by default
* Fixed discarding of local changes when updating packages to include
untracked files
* Several minor fixes

- Version 1.10.7

* Fixed PHP 8 deprecations
* Fixed detection of pcntl_signal being in disabled_functions when
pcntl_async_signal is allowed

- Version 1.10.6

* Fixed version guessing to take composer-runtime-api and
composer-plugin-api requirements into account to avoid selecting
packages which require Composer 2
* Fixed package name validation to allow several dashes following each
other
* Fixed post-status-cmd script not firing when there were no changes to
be displayed
* Fixed composer-runtime-api support on Composer 1.x, the package is now
present as 1.0.0
* Fixed support for composer show --name-only --self
* Fixed detection of GitLab URLs when handling authentication in some
cases

- Version 1.10.5

* Fixed self-update on PHP ...