这是indexloc提供的服务,不要输入任何密码
Skip to content

Update dependency composer/composer to ^2.2.12 [SECURITY] - autoclosed #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update dependency composer/composer to ^2.2.12 [SECURITY] - autoclosed #239

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 31, 2022
edited by Ocramius
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change
composer/composer (source) require-dev patch ^2.2.0 -> ^2.2.12

GitHub Vulnerability Alerts

CVE-2022-24828

The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.

This led to a vulnerability on Packagist.org and Private Packagist, i.e., using the composer.json readme field as a vector for injecting parameters into the $file argument for the Mercurial driver or via the $identifier argument for the Git and Mercurial drivers.

Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project's composer.json.

To the best of our knowledge, this was not actively exploited. The vulnerability has been patched on Packagist.org and Private Packagist within a day of the vulnerability report.

Release Notes

composer/composer

v2.2.12

Compare Source

  • Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
    • Fixed curl downloader not retrying when a DNS resolution failure occurs (#​10716)
    • Fixed composer.lock file still being used/read when the lock config option is disabled (#​10726)
    • Fixed validate command checking the lock file even if the lock option is disabled (#​10723)

v2.2.11

Compare Source

  • Added missing config.bitbucket-oauth in composer-schema.json
    • Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#​10682)
    • Updated semver, jsonlint deps for minor fixes
    • Fixed generation of autoload crashing if a package has a broken path (#​10688)
    • Removed dev-master=>dev-main alias from #​10372 as it does not work when reloading from lock file and extracting dev deps (#​10651)

v2.2.10

Compare Source

  • Fixed Bitbucket authorization detection due to API changes (#​10657)
    • Fixed validate command warning about dist/source keys if defined (#​10655)
    • Fixed deletion/handling of corrupted 0-bytes zip archives (#​10666)

v2.2.9

Compare Source

  • Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#​10621)

v2.2.8

Compare Source

  • Fixed files autoloading sort order to be fully deterministic (#​10617)
    • Fixed pool optimization pass edge cases (#​10579)
    • Fixed require command failing when self.version is used as constraint (#​10593)
    • Fixed --no-ansi / undecorated output still showing color in repo warnings (#​10601)
    • Performance improvement in pool optimization step (composer/semver#​131)

v2.2.7

Compare Source

  • Allow installation together with composer/xdebug-handler ^3 (#​10528)
    • Fixed support for packages with no licenses in licenses command output (#​10537)
    • Fixed handling of allow-plugins: false which kept warning (#​10530)
    • Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#​10521)
    • Fixed author parsing in init command requiring an email whereas the schema allows a name only (#​10538)
    • Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#​10541)
    • Performance improvement in pool optimization step (#​10546)

v2.2.6

Compare Source

  • BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed to COMPOSER_RUNTIME_BIN_DIR (#​10512)
    • Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#​10498)
    • Fixed package search not urlencoding the input (#​10500)
    • Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#​10514)
    • Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#​10482)
    • Fixed test suite compatibility with latest symfony/console releases (#​10499)
    • Fixed some error reporting edge cases (#​10484, #​10451, #​10493)

v2.2.5

Compare Source

  • Disabled composer/package-versions-deprecated by default as it can function using Composer\InstalledVersions at runtime (#​10458)
    • Fixed artifact repositories crashing if a phar file was present in the directory (#​10406)
    • Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path (#​10468)
    • Fixed handling of non-string versions in package repositories metadata (#​10470)

v2.2.4

Compare Source

  • Fixed handling of process timeout when running async processes during installation
    • Fixed GitLab API handling when projects have a repository disabled (#​10440)
    • Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#​10434)
    • Fixed partial update issues with path repos missing if a path repo is required by a path repo (#​10431)
    • Fixed support for sourcing binaries via the new bin proxies (#​10389)
    • Fixed messaging when GitHub tokens need SSO authorization (#​10432)

v2.2.3

Compare Source

  • Fixed issue with PHPUnit and process isolation now including PHPUnit <6.5 (#​10387)
    • Fixed interoperability issue with laminas/laminas-zendframework-bridge and Composer 2.2 (#​10401)
    • Fixed binary proxies for shell scripts to work correctly when they are symlinked (jakzal/phpqa#​336)
    • Fixed overly greedy pool optimization in cases where a locked package is not required by anything anymore in a partial update (#​10405)

v2.2.2

Compare Source

  • Added COMPOSER_BIN_DIR env var and _composer_bin_dir global containing the path to the bin-dir for binaries. Packages relying on finding the bin dir with $BASH_SOURCES[0] will need to update their binaries (#​10402)
    • Fixed issue when new binary proxies are combined with PHPUnit and process isolation (#​10387)
    • Fixed deprecation warnings when using Symfony 5.4+ and requiring composer/composer itself (#​10404)
    • Fixed UX of plugin warnings (#​10381)

v2.2.1

Compare Source

  • Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#​10935)
    • Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#​10928)
    • Fixed pre-install check for allowed plugins not taking --no-plugins into account (#​10925)
    • Fixed support for disable_functions containing disk_free_space (#​10936)
    • Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#​10940)

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Read more about the use of Renovate Bot within ocramius/* projects.

@renovate renovate bot added the security label Oct 31, 2022
@renovate
Update dependency composer/composer to ^2.2.12 [SECURITY]
a3598f5 
| datasource | package           | from  | to     |
| ---------- | ----------------- | ----- | ------ |
| packagist  | composer/composer | 2.2.0 | 2.2.12 |
@renovate renovate bot force-pushed the renovate/packagist-composer/composer-vulnerability branch from 2e6108c to a3598f5 Compare October 31, 2022 12:33
@renovate renovate bot changed the title Update dependency composer/composer to ^2.2.12 [SECURITY] Update dependency composer/composer to ^2.2.12 [SECURITY] - autoclosed Oct 31, 2022
@renovate renovate bot closed this Oct 31, 2022
@renovate renovate bot deleted the renovate/packagist-composer/composer-vulnerability branch October 31, 2022 12:49
@Ocramius Ocramius added this to the 2.7.0 milestone Oct 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

2.7.0

Development

Successfully merging this pull request may close these issues.

2 participants

@Ocramius