| Package | composer |
|---|---|
| Version | 1.2.2-1+deb9u2 (stretch) |
| Related CVEs | CVE-2022-24828 CVE-2023-43655 |
Composer, an application-level dependency manager for the PHP programming language, was vulnerable.
CVE-2022-24828
Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there.
CVE-2023-43655
Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini.
For Debian 9 stretch, these problems have been fixed in version 1.2.2-1+deb9u2.
We recommend that you upgrade your composer packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.