Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Composer version to 2.7.7 to address Composer vulnerabilities CVE-2024-35241 and CVE-2024-35242 #544

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Upgrade Composer version to 2.7.7 to address Composer vulnerabilities CVE-2024-35241 and CVE-2024-35242 #544

wants to merge 1 commit into from

Conversation

TuVanDev
Copy link
Member

Upgrade Composer version to 2.7.7 to address Composer vulnerabilities CVE-2024-35241 and CVE-2024-35242.

Reference:
https://blog.packagist.com/composer-2-7-7/

Nils Adermann, Jun 10, 2024:
Today we’re releasing Composer 2.7.7 (PHP 7.2+) and 2.2.24 (LTS for use on PHP 5.3 to 7.1) to address two security vulnerabilities as well as a number of smaller security hardening measures, please update to the new versions immediately (e.g. with composer self-update ).

Description

Fixed Issues (if relevant)

  1. CVE-2024-35241: Command injection via malicious git branch name
  2. CVE-2024-35242: Multiple command injections via malicious git/hg branch names

Manual testing scenarios

  1. ...
  2. ...

Contribution checklist

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages

Upgrade Composer version to 2.7.7
cd649f2 
to address Composer vulnerabilities CVE-2024-35241 and CVE-2024-35242
@TuVanDev
Copy link
Member Author

Branches 2.4.4, 2.4.5, and 2.4.6 also need to upgrade Composer version to 2.2.24 to address Composer vulnerabilities CVE-2024-35241 and CVE-2024-35242. Unfortunately, I'm copied only the master so I can't create pull requests for these branches. It would be great if someone could do that.

Reference:
https://blog.packagist.com/composer-2-7-7/

Nils Adermann, Jun 10, 2024:
Today we’re releasing Composer 2.7.7 (PHP 7.2+) and 2.2.24 (LTS for use on PHP 5.3 to 7.1) to address two security vulnerabilities as well as a number of smaller security hardening measures, please update to the new versions immediately (e.g. with composer self-update ).

@DmitryFurs
Copy link

@TuVanDev according to the documentation, a less strict version can be used

For Magneto 2.4.7, you can specify: ~2.7.7 - Constraint will be satisfied by versions matching >=2.7.7 <2.8.0-0.

For Magneto 2.4.4, 2.4.5 and 2.4.6 you can specify: ~2.2.24 - Constraint will be satisfied by versions matching >=2.2.24 <2.3.0-0.

This will result in using the latest version for Composer 2.7.x and 2.2.x each time. And there will be no need to constantly update this file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TuVanDev @DmitryFurs