Ubuntu alert USN-7603-1 (composer)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-7603-1] Composer vulnerabilities | |
| Date: | Wed, 02 Jul 2025 00:02:59 +0000 | |
| Message-ID: | <E1uWkwF-0007DO-Sy@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-7603-1 June 30, 2025 composer vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Composer. Software Description: - composer: Dependency Manager for PHP Details: Thomas Chauchefoin discovered that Composer did not correctly handle certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24828, CVE-2023-43655) Ed Cradock discovered that Composer did not correctly handle the exclusion of certain files. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821) Martin Haunschmid discovered that Composer did not correctly handle git branch names. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-35241) Maciej Piechota discovered that Composer did not correctly handle VCS branch names. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-35242) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS composer 2.7.1-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS composer 2.2.6-2ubuntu4+esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS composer 1.10.1-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 18.04 LTS composer 1.6.3-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 16.04 LTS composer 1.0.0~beta2-1ubuntu0.1~esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7603-1 CVE-2022-24828, CVE-2023-43655, CVE-2024-24821, CVE-2024-35241, CVE-2024-35242
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmhjWfcACgkQcpJm3tlz hgHxew/9GgbBI1CQE0Gq6/d2MZNO7Hg2Oi5pikCz/PFV3Ca9cqgOK1aLpLscZOC9 LYd6kRTph7FAvOsALkIpGfN/WQ0qYMyurtbAVdtWGR8Wqj8zn90COFMnsZdxfNta nvYXzdmieQPdd2wCXKdoJ38wGdV5o510PMQintif8bfoh2KbyvHuZ72rNGYqDMEl Bb1CkMos1+c+h0JfpPbsd7AwiMu3X/attar9LiUT4g97NXEYfmzlf8HhPmdcARkt TcvcCnd6/5q2tEMaweKvpx0HMQULq4pmQWBmD2x2X7Bd9KLuUcn14+UZv/bcwf6f 4qZt2c487U0PEaVDTOoj5yk4/9pvqV4WscZ2gFDfwqZBH7eZuvBMsZ3C0VM/qpWz kRD39yvkjOTL/hDBf4uGs9HxfxMuv/NEaOaQYYW2RZUech/SmrQ4rSeaCfgCc9V1 xO263Dr+opTvPCDxiWjq+ebWRCYX9PSjQzghasQD1RS6VFtTfuD1uhk+lCSj3JVV H0AXzIRTl1wAuqFBNjFY8Oxpw6egjbQQSl3hftpiJhzH2NCyDgCR74qWK2sNIxBl q+n48tABmvyXmKaMlZzWUmSw3B9yeX+hgLjyJ1ZDWa5duilp6OyRGFYI5OhSPlki Lhl5kgdSHmtbD8j1+mr3ELqhWLnRVlX0+/4oq4E76krT6+zI8K8= =WxrI -----END PGP SIGNATURE-----