Summary: | dev-php/composer: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | guillaumeseren, hydrapolic, neb.semqen.ramesses, php-bugs, proxy-maint |
Priority: | Normal | Keywords: | PMASKED |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=877639 | ||
Whiteboard: | B2 [ebuild] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 934666 | ||
Bug Blocks: |
Description
John Helmert III
2022-04-13 23:42:17 UTC
Ping. Please mask this package for removal or bump to at least version 2.2.12. CVE-2023-43655 (https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf): Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice. |