Security update composer/composer (CVE-2023-43655)

Created on 5 October 2023, 8 months ago
Updated 17 November 2023, 7 months ago

Problem/Motivation

Discussed this with @longwave who discussed it with @greggles, both from the Security Team, and this CVE was found suitable to be handled in public.

Steps to reproduce

$ composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+-------------------------------------------------------------------------------+
| Package           | composer/composer                                                             |
| CVE               | CVE-2023-43655                                                                |
| Title             | Composer Remote Code Execution vulnerability via web-accessible composer.phar |
| URL               | https://github.com/advisories/GHSA-jm6m-4632-36hf                             |
| Affected versions | >=2.3.0,<2.6.4|>=2.0.0,<2.2.22|<1.10.27                                       |
| Reported at       | 2023-09-29T20:39:21+00:00                                                     |
+-------------------+-------------------------------------------------------------------------------+

Proposed resolution

Update composer/composer to 2.6.4 and bump the version in composer.json to this one.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

πŸ“Œ Task
Status

Fixed

Version

10.0 ✨

Component
ComposerΒ  β†’

Last updated about 23 hours ago

No maintainer
Created by

πŸ‡³πŸ‡±Netherlands Spokje

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.69.0 2024