-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3777-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès March 27, 2024 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : composer Version : 1.8.4-1+deb10u3 CVE ID : CVE-2023-43655 Composer, an application-level dependency manager for the PHP programming language was vulnerable. CVE-2023-43655: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini Moreover, a specific debian problem was fixed, and autoload.php for composer imports depends from /usr/share/php instead of trusting path resolution. For Debian 10 buster, this problem has been fixed in version 1.8.4-1+deb10u3. We recommend that you upgrade your composer packages. For the detailed security status of composer please refer to its security tracker page at: https://security-tracker.debian.org/tracker/composer Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmYD3SsRHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF+zgQ/+Lr6iMFQeos09GU4QCC0X4qjJeurfB8/K XVTnJH+oev2IPcKjiaJS8EZKsf25nw75m2+Qv9PX7b6yzysFICHGdjJgor+EL1AR 8hko8ofO01eW1kdu3FxexcOpQx8twl+bVWiDWHZRMm8rvZl5muyEpl/2BtwMLegr 2eA/6zFEmYQ64RsSkGATRDxfC6WIWsGI15LRxC7Sh/HD1AiGK9ScCNv6VD5v3z3X K8q00WQo7uvM5b+wp21lf+zoBJOSCNM+TzRhzkGPd43FSx717r20OsPGiwPwrxgh HmjUU1OWcbxwaZmb3RUSS2JRPGvP6nBXKwQ7B1Czkoh/YpZHqW7HBzvX2Gh6jK4I WItOqzaJUDHAKWc9GcJrD6+LfOLD55nanEBQs5kRX43E95wVNZX1mATp547vaP6q ujnYf6y3REhnWYuhuJHhyZ0cnOtNtSbYf0NiX8pUCkJw8BK/S+kWlMpRQCL8wl8R Pn8WurzVarnMvV55VVyIhlliyVULChBmU5t21Ti4qPcoeUAkjWEp9c4IaKUg6yK7 AWbvA4Z6HD7FSYH5pXXlcMV5ZOzSZD53y1wv4Yd9ND8t+JHoqR0m+Y8LPp181Z4P +dK6ZgUrOFv416L4oowE5wXumwd74gAHb91kgW3zrzWkFxCSt0w8mttMvlNkSOlL J1d8YulyxoA= =8ABe -----END PGP SIGNATURE-----
