openSUSE-SU-2021:1289-1: important: Security update for php-composer
openSUSE Security Update: Security update for php-composer
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1289-1
Rating: important
References: #1185376 #1187416
Cross-References: CVE-2021-29472
CVSS scores:
CVE-2021-29472 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.2
openSUSE Backports SLE-15-SP3
openSUSE Backports SLE-15-SP2
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for php-composer fixes the following issues:
- Require php-mbstring as requested in boo#1187416
- Version 1.10.22
* Security: Fixed command injection vulnerability in
HgDriver/HgDownloader and hardened other VCS drivers and downloaders
(GHSA-h5h8-pc6h-jvvx / CVE-2021-29472), boo#1185376
- Version 1.10.21
* Fixed support for new GitHub OAuth token format
* Fixed processes silently ignoring the CWD when it does not exist
- Version 1.10.20
* Fixed exclude-from-classmap causing regex issues when having too many
paths
* Fixed compatibility issue with Symfony 4/5
- Version 1.10.17
* Fixed Bitbucket API authentication issue
* Fixed parsing of Composer 2 lock files breaking in some rare conditions
- Version 1.10.16
* Added warning to validate command for cases where packages provide/
replace a package that they also require
* Fixed JSON schema validation issue with PHPStorm
* Fixed symlink handling in archive command
- Version 1.10.15
* Fixed path repo version guessing issue
- Version 1.10.14
* Fixed version guesser to look at remote branches as well as local
ones
* Fixed path repositories version guessing to handle edge cases where
version is different from the VCS-guessed version
* Fixed COMPOSER env var causing issues when combined with the global
command
* Fixed a few issues dealing with PHP without openssl extension (not
recommended at all but sometimes needed for testing)
- Version 1.10.13
* Fixed regressions with old version validation
* Fixed invalid root aliases not being reported
- Version 1.10.12
* Fixed regressions with old version validation
- Version 1.10.11
* Fixed more PHP 8 compatibility issues
* Fixed regression in handling of CTRL-C when xdebug is loaded
* Fixed status handling of broken symlinks
- Version 1.10.10
* Fixed create-project not triggering events while installing the root
package
* Fixed PHP 8 compatibility issue
* Fixed self-update to avoid automatically upgrading to the next major
version once it becomes stable
- Version 1.10.9
* Fixed Bitbucket redirect loop when credentials are outdated
* Fixed GitLab auth prompt wording
* Fixed self-update handling of files requiring admin permissions to
write to on Windows (it now does a UAC prompt)
* Fixed parsing issues in funding.yml files
- Version 1.10.8
* Fixed compatibility issue with git being configured to show signatures
by default
* Fixed discarding of local changes when updating packages to include
untracked files
* Several minor fixes
- Version 1.10.7
* Fixed PHP 8 deprecations
* Fixed detection of pcntl_signal being in disabled_functions when
pcntl_async_signal is allowed
- Version 1.10.6
* Fixed version guessing to take composer-runtime-api and
composer-plugin-api requirements into account to avoid selecting
packages which require Composer 2
* Fixed package name validation to allow several dashes following each
other
* Fixed post-status-cmd script not firing when there were no changes to
be displayed
* Fixed composer-runtime-api support on Composer 1.x, the package is now
present as 1.0.0
* Fixed support for composer show --name-only --self
* Fixed detection of GitLab URLs when handling authentication in some
cases
- Version 1.10.5
* Fixed self-update on PHP ...
A php-composer security update has been released for openSUSE Leap 15.2, SUSE Linux Enterprise 15 SP1, SUSE Linux Enterprise 15 SP2, and SUSE Linux Enterprise 15 SP3.
