opensuse-su-2021:1289-1
Vulnerability from csaf_opensuse
Published
2021-09-21 12:54
Modified
2021-09-21 12:54
Summary
Security update for php-composer
Notes
Title of the patch
Security update for php-composer
Description of the patch
This update for php-composer fixes the following issues:
- Require php-mbstring as requested in boo#1187416
- Version 1.10.22
* Security: Fixed command injection vulnerability in HgDriver/HgDownloader
and hardened other VCS drivers and downloaders
(GHSA-h5h8-pc6h-jvvx / CVE-2021-29472), boo#1185376
- Version 1.10.21
* Fixed support for new GitHub OAuth token format
* Fixed processes silently ignoring the CWD when it does not exist
- Version 1.10.20
* Fixed exclude-from-classmap causing regex issues when having too many paths
* Fixed compatibility issue with Symfony 4/5
- Version 1.10.17
* Fixed Bitbucket API authentication issue
* Fixed parsing of Composer 2 lock files breaking in some rare conditions
- Version 1.10.16
* Added warning to validate command for cases where packages provide/
replace a package that they also require
* Fixed JSON schema validation issue with PHPStorm
* Fixed symlink handling in archive command
- Version 1.10.15
* Fixed path repo version guessing issue
- Version 1.10.14
* Fixed version guesser to look at remote branches as well as local
ones
* Fixed path repositories version guessing to handle edge cases where
version is different from the VCS-guessed version
* Fixed COMPOSER env var causing issues when combined with the global
command
* Fixed a few issues dealing with PHP without openssl extension (not
recommended at all but sometimes needed for testing)
- Version 1.10.13
* Fixed regressions with old version validation
* Fixed invalid root aliases not being reported
- Version 1.10.12
* Fixed regressions with old version validation
- Version 1.10.11
* Fixed more PHP 8 compatibility issues
* Fixed regression in handling of CTRL-C when xdebug is loaded
* Fixed status handling of broken symlinks
- Version 1.10.10
* Fixed create-project not triggering events while installing the
root package
* Fixed PHP 8 compatibility issue
* Fixed self-update to avoid automatically upgrading to the next
major version once it becomes stable
- Version 1.10.9
* Fixed Bitbucket redirect loop when credentials are outdated
* Fixed GitLab auth prompt wording
* Fixed self-update handling of files requiring admin permissions
to write to on Windows (it now does a UAC prompt)
* Fixed parsing issues in funding.yml files
- Version 1.10.8
* Fixed compatibility issue with git being configured to show
signatures by default
* Fixed discarding of local changes when updating packages to include
untracked files
* Several minor fixes
- Version 1.10.7
* Fixed PHP 8 deprecations
* Fixed detection of pcntl_signal being in disabled_functions when
pcntl_async_signal is allowed
- Version 1.10.6
* Fixed version guessing to take composer-runtime-api and
composer-plugin-api requirements into account to avoid selecting
packages which require Composer 2
* Fixed package name validation to allow several dashes following
each other
* Fixed post-status-cmd script not firing when there were no
changes to be displayed
* Fixed composer-runtime-api support on Composer 1.x, the package
is now present as 1.0.0
* Fixed support for composer show --name-only --self
* Fixed detection of GitLab URLs when handling authentication in
some cases
- Version 1.10.5
* Fixed self-update on PHP <5.6, seriously please upgrade
* Fixed 1.10.2 regression with PATH resolution in scripts
- Version 1.10.4
* Fixed 1.10.2 regression in path symlinking with absolute path
repos
- Version 1.10.3
* Fixed invalid --2 flag warning in self-update when no channel is
requested
- Version 1.10.2
* Added --1 flag to self-update command which can be added to
automated self-update runs to make sure it won't automatically
jump to 2.0 once that is released
* Fixed path repository symlinks being made relative when the repo
url is defined as absolute paths
* Fixed potential issues when using 'composer ...' in scripts and
composer/composer was also required in the project
* Fixed 1.10.0 regression when downloading GitHub archives from
non-API URLs
* Fixed handling of malformed info in fund command
* Fixed Symfony5 compatibility issues in a few commands
- Version 1.10.1
* Fixed path repository warning on empty path when using wildcards
* Fixed superfluous warnings when generating optimized autoloaders
- Version 1.10.0
* Breaking: composer global exec ... now executes the process in
the current working directory instead of executing it in the
global directory.
* Warning: Added a warning when class names are being loaded by a
PSR-4 or PSR-0 rule only due to classmap optimization, but would
not otherwise be autoloadable. Composer 2.0 will stop autoloading
these classes so make sure you fix your autoload configs.
* Added new funding key to composer.json to describe ways your package's
maintenance can be funded. This reads info from GitHub's FUNDING.yml
by default so better configure it there so it shows on GitHub and
Composer/Packagist
* Added composer fund command to show funding info of your dependencies
* Added bearer auth config to authenticate using Authorization:
Bearer <token> headers
* Added plugin-api-version in composer.lock so third-party tools can
know which Composer version was used to generate a lock file
* Added support for --format=json output for show command when showing
a single package
* Added support for configuring suggestions using config command,
e.g. composer config suggest.foo/bar some text
* Added support for configuring fine-grained preferred-install using
config command, e.g. composer config preferred-install.foo/* dist
* Added @putenv script handler to set environment variables from
composer.json for following scripts
* Added lock option that can be set to false, in which case no
composer.lock file will be generated
* Added --add-repository flag to create-project command which will
persist the repo given in --repository into the composer.json of
the package being installed
* Fixed issue where --no-dev autoload generation was excluding some
packages which should not have been excluded
* Added support for IPv6 addresses in NO_PROXY
* Added package homepage display in the show command
* Added debug info about HTTP authentications
* Added Symfony 5 compatibility
* Added --fixed flag to require command to make it use a fixed constraint
instead of a ^x.y constraint when adding the requirement
* Fixed exclude-from-classmap matching subsets of directories e.g.
foo/ was excluding foobar/
* Fixed archive command to persist file permissions inside the zip files
* Fixed init/require command to avoid suggesting packages which are
already selected in the search results
* Fixed create-project UX issues
* Fixed filemtime for vendor/composer/* files is now only changing
when the files actually change
* Fixed issues detecting docker environment with an active open_basedir
- Version 1.9.3
* Fixed GitHub deprecation of access_token query parameter, now
using Authorization header
- Version 1.9.2
* Fixed minor git driver bugs
* Fixed schema validation for version field to allow dev-* versions
too
* Fixed external processes' output being formatted even though it
should not
* Fixed issue with path repositories when trying to install feature
branches
- Version 1.9.1
* Fixed various credential handling issues with gitlab and github
* Fixed credentials being present in git remotes in Composer cache
and vendor directory when not using SSH keys
* Fixed composer why not listing replacers as a reason something
is present
* Fixed various PHP 7.4 compatibility issues
* Fixed root warnings always present in Docker containers, setting
COMPOSER_ALLOW_SUPERUSER is not necessary anymore
* Fixed GitHub access tokens leaking into debug-verbosity output
* Fixed several edge case issues detecting GitHub, Bitbucket and
GitLab repository types
* Fixed Composer asking if you want to use a composer.json in a
parent directory when ran in non-interactive mode
* Fixed classmap autoloading issue finding classes located within
a few non-PHP context blocks (?>...<?php)
- Version 1.9.0
* Added a --no-cache flag available on all commands to run with
the cache disabled
* Added PHP_BINARY as env var pointing to the PHP process when
executing Composer scripts as shell scripts
* Added a use-github-api config option which can set the no-api
flag on all GitHub VCS repositories declared
* Added a static helper you can preprend to a script to avoid
process timeouts, 'Composer\\Config::disableProcessTimeout'
* Added Event::getOriginatingEvent to retrieve an event's original
event when a script handler forwards to another one
* Added support for autoloading directly from a phar file
* Fixed loading order of plugins to always initialize them in order
of dependencies
* Fixed various network-mount related issues
* Fixed --ignore-platform-reqs not ignoring conflict rules against
platform packages
- Version 1.8.6
* Fixed handling of backslash-escapes handling in compoesr.json
when using the require command
* Fixed create-project not following classmap-authoritative and
apcu-autoloader config values
* Fixed HHVM version warning showing up in some cases when it was
not in use
Patchnames
openSUSE-2021-1289
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for php-composer",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for php-composer fixes the following issues:\n\n- Require php-mbstring as requested in boo#1187416\n\n- Version 1.10.22\n\n * Security: Fixed command injection vulnerability in HgDriver/HgDownloader \n and hardened other VCS drivers and downloaders\n (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472), boo#1185376\n\n- Version 1.10.21\n\n * Fixed support for new GitHub OAuth token format\n * Fixed processes silently ignoring the CWD when it does not exist\n\n- Version 1.10.20\n\n * Fixed exclude-from-classmap causing regex issues when having too many paths\n * Fixed compatibility issue with Symfony 4/5\n\n- Version 1.10.17\n\n * Fixed Bitbucket API authentication issue\n * Fixed parsing of Composer 2 lock files breaking in some rare conditions\n\n- Version 1.10.16\n\n * Added warning to validate command for cases where packages provide/\n replace a package that they also require\n * Fixed JSON schema validation issue with PHPStorm\n * Fixed symlink handling in archive command\n\n- Version 1.10.15\n\n * Fixed path repo version guessing issue\n\n- Version 1.10.14\n\n * Fixed version guesser to look at remote branches as well as local\n ones\n * Fixed path repositories version guessing to handle edge cases where\n version is different from the VCS-guessed version\n * Fixed COMPOSER env var causing issues when combined with the global\n command\n * Fixed a few issues dealing with PHP without openssl extension (not\n recommended at all but sometimes needed for testing)\n\n- Version 1.10.13\n\n * Fixed regressions with old version validation\n * Fixed invalid root aliases not being reported\n\n- Version 1.10.12\n\n * Fixed regressions with old version validation\n\n- Version 1.10.11\n\n * Fixed more PHP 8 compatibility issues\n * Fixed regression in handling of CTRL-C when xdebug is loaded\n * Fixed status handling of broken symlinks\n\n- Version 1.10.10\n\n * Fixed create-project not triggering events while installing the\n root package\n * Fixed PHP 8 compatibility issue\n * Fixed self-update to avoid automatically upgrading to the next\n major version once it becomes stable\n\n- Version 1.10.9\n\n * Fixed Bitbucket redirect loop when credentials are outdated\n * Fixed GitLab auth prompt wording\n * Fixed self-update handling of files requiring admin permissions\n to write to on Windows (it now does a UAC prompt)\n * Fixed parsing issues in funding.yml files\n\n- Version 1.10.8\n\n * Fixed compatibility issue with git being configured to show\n signatures by default\n * Fixed discarding of local changes when updating packages to include\n untracked files\n * Several minor fixes\n\n- Version 1.10.7\n\n * Fixed PHP 8 deprecations\n * Fixed detection of pcntl_signal being in disabled_functions when\n pcntl_async_signal is allowed\n\n- Version 1.10.6\n\n * Fixed version guessing to take composer-runtime-api and\n composer-plugin-api requirements into account to avoid selecting\n packages which require Composer 2\n * Fixed package name validation to allow several dashes following\n each other\n * Fixed post-status-cmd script not firing when there were no\n changes to be displayed\n * Fixed composer-runtime-api support on Composer 1.x, the package\n is now present as 1.0.0\n * Fixed support for composer show --name-only --self\n * Fixed detection of GitLab URLs when handling authentication in\n some cases\n\n- Version 1.10.5\n\n * Fixed self-update on PHP \u003c5.6, seriously please upgrade\n * Fixed 1.10.2 regression with PATH resolution in scripts\n\n- Version 1.10.4\n\n * Fixed 1.10.2 regression in path symlinking with absolute path\n repos\n\n- Version 1.10.3\n\n * Fixed invalid --2 flag warning in self-update when no channel is\n requested\n\n- Version 1.10.2\n\n * Added --1 flag to self-update command which can be added to\n automated self-update runs to make sure it won\u0027t automatically\n jump to 2.0 once that is released\n * Fixed path repository symlinks being made relative when the repo\n url is defined as absolute paths\n * Fixed potential issues when using \u0027composer ...\u0027 in scripts and\n composer/composer was also required in the project\n * Fixed 1.10.0 regression when downloading GitHub archives from\n non-API URLs\n * Fixed handling of malformed info in fund command\n * Fixed Symfony5 compatibility issues in a few commands\n\n- Version 1.10.1\n\n * Fixed path repository warning on empty path when using wildcards\n * Fixed superfluous warnings when generating optimized autoloaders\n\n- Version 1.10.0\n\n * Breaking: composer global exec ... now executes the process in\n the current working directory instead of executing it in the\n global directory.\n * Warning: Added a warning when class names are being loaded by a\n PSR-4 or PSR-0 rule only due to classmap optimization, but would\n not otherwise be autoloadable. Composer 2.0 will stop autoloading\n these classes so make sure you fix your autoload configs.\n * Added new funding key to composer.json to describe ways your package\u0027s\n maintenance can be funded. This reads info from GitHub\u0027s FUNDING.yml\n by default so better configure it there so it shows on GitHub and\n Composer/Packagist\n * Added composer fund command to show funding info of your dependencies\n * Added bearer auth config to authenticate using Authorization:\n Bearer \u003ctoken\u003e headers\n * Added plugin-api-version in composer.lock so third-party tools can\n know which Composer version was used to generate a lock file\n * Added support for --format=json output for show command when showing\n a single package\n * Added support for configuring suggestions using config command,\n e.g. composer config suggest.foo/bar some text\n * Added support for configuring fine-grained preferred-install using\n config command, e.g. composer config preferred-install.foo/* dist\n * Added @putenv script handler to set environment variables from\n composer.json for following scripts\n * Added lock option that can be set to false, in which case no\n composer.lock file will be generated\n * Added --add-repository flag to create-project command which will\n persist the repo given in --repository into the composer.json of\n the package being installed\n * Fixed issue where --no-dev autoload generation was excluding some\n packages which should not have been excluded\n * Added support for IPv6 addresses in NO_PROXY\n * Added package homepage display in the show command\n * Added debug info about HTTP authentications\n * Added Symfony 5 compatibility\n * Added --fixed flag to require command to make it use a fixed constraint\n instead of a ^x.y constraint when adding the requirement\n * Fixed exclude-from-classmap matching subsets of directories e.g.\n foo/ was excluding foobar/\n * Fixed archive command to persist file permissions inside the zip files\n * Fixed init/require command to avoid suggesting packages which are\n already selected in the search results\n * Fixed create-project UX issues\n * Fixed filemtime for vendor/composer/* files is now only changing\n when the files actually change\n * Fixed issues detecting docker environment with an active open_basedir\n\n- Version 1.9.3\n * Fixed GitHub deprecation of access_token query parameter, now\n using Authorization header\n\n- Version 1.9.2\n * Fixed minor git driver bugs\n * Fixed schema validation for version field to allow dev-* versions\n too\n * Fixed external processes\u0027 output being formatted even though it\n should not\n * Fixed issue with path repositories when trying to install feature\n branches\n\n- Version 1.9.1\n * Fixed various credential handling issues with gitlab and github\n * Fixed credentials being present in git remotes in Composer cache\n and vendor directory when not using SSH keys\n * Fixed composer why not listing replacers as a reason something\n is present\n * Fixed various PHP 7.4 compatibility issues\n * Fixed root warnings always present in Docker containers, setting\n COMPOSER_ALLOW_SUPERUSER is not necessary anymore\n * Fixed GitHub access tokens leaking into debug-verbosity output\n * Fixed several edge case issues detecting GitHub, Bitbucket and\n GitLab repository types\n * Fixed Composer asking if you want to use a composer.json in a\n parent directory when ran in non-interactive mode\n * Fixed classmap autoloading issue finding classes located within\n a few non-PHP context blocks (?\u003e...\u003c?php)\n\n- Version 1.9.0\n * Added a --no-cache flag available on all commands to run with\n the cache disabled\n * Added PHP_BINARY as env var pointing to the PHP process when\n executing Composer scripts as shell scripts\n * Added a use-github-api config option which can set the no-api\n flag on all GitHub VCS repositories declared\n * Added a static helper you can preprend to a script to avoid\n process timeouts, \u0027Composer\\\\Config::disableProcessTimeout\u0027\n * Added Event::getOriginatingEvent to retrieve an event\u0027s original\n event when a script handler forwards to another one\n * Added support for autoloading directly from a phar file\n * Fixed loading order of plugins to always initialize them in order\n of dependencies\n * Fixed various network-mount related issues\n * Fixed --ignore-platform-reqs not ignoring conflict rules against\n platform packages\n\n- Version 1.8.6\n * Fixed handling of backslash-escapes handling in compoesr.json\n when using the require command\n * Fixed create-project not following classmap-authoritative and\n apcu-autoloader config values\n * Fixed HHVM version warning showing up in some cases when it was\n not in use\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-1289",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1289-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:1289-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6ALRJGAG4EXTTIEI2CGMZH3NCUQIQUTQ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:1289-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6ALRJGAG4EXTTIEI2CGMZH3NCUQIQUTQ/"
},
{
"category": "self",
"summary": "SUSE Bug 1185376",
"url": "https://bugzilla.suse.com/1185376"
},
{
"category": "self",
"summary": "SUSE Bug 1187416",
"url": "https://bugzilla.suse.com/1187416"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-29472 page",
"url": "https://www.suse.com/security/cve/CVE-2021-29472/"
}
],
"title": "Security update for php-composer",
"tracking": {
"current_release_date": "2021-09-21T12:54:07Z",
"generator": {
"date": "2021-09-21T12:54:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:1289-1",
"initial_release_date": "2021-09-21T12:54:07Z",
"revision_history": [
{
"date": "2021-09-21T12:54:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "php-composer-1.10.22-bp153.2.3.1.noarch",
"product": {
"name": "php-composer-1.10.22-bp153.2.3.1.noarch",
"product_id": "php-composer-1.10.22-bp153.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP1",
"product": {
"name": "SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1"
}
},
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP2",
"product": {
"name": "SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2"
}
},
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP3",
"product": {
"name": "SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer-1.10.22-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:php-composer-1.10.22-bp153.2.3.1.noarch"
},
"product_reference": "php-composer-1.10.22-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer-1.10.22-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:php-composer-1.10.22-bp153.2.3.1.noarch"
},
"product_reference": "php-composer-1.10.22-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer-1.10.22-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:php-composer-1.10.22-bp153.2.3.1.noarch"
},
"product_reference": "php-composer-1.10.22-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer-1.10.22-bp153.2.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:php-composer-1.10.22-bp153.2.3.1.noarch"
},
"product_reference": "php-composer-1.10.22-bp153.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer-1.10.22-bp153.2.3.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:php-composer-1.10.22-bp153.2.3.1.noarch"
},
"product_reference": "php-composer-1.10.22-bp153.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29472",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-29472"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including Packagist.org and Private Packagist. This allowed users to trigger remote code execution. The vulnerability has been patched on Packagist.org and Private Packagist within 12h of receiving the initial vulnerability report and based on a review of logs, to the best of our knowledge, was not abused by anyone. Other services/tools using VcsRepository/VcsDriver or derivatives may also be vulnerable and should upgrade their composer/composer dependency immediately. Versions 1.10.22 and 2.0.13 include patches for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP1:php-composer-1.10.22-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:php-composer-1.10.22-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:php-composer-1.10.22-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:php-composer-1.10.22-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:php-composer-1.10.22-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-29472",
"url": "https://www.suse.com/security/cve/CVE-2021-29472"
},
{
"category": "external",
"summary": "SUSE Bug 1185376 for CVE-2021-29472",
"url": "https://bugzilla.suse.com/1185376"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP1:php-composer-1.10.22-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:php-composer-1.10.22-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:php-composer-1.10.22-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:php-composer-1.10.22-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:php-composer-1.10.22-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP1:php-composer-1.10.22-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:php-composer-1.10.22-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:php-composer-1.10.22-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:php-composer-1.10.22-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:php-composer-1.10.22-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-09-21T12:54:07Z",
"details": "important"
}
],
"title": "CVE-2021-29472"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…