Category Archives: Advisories

composer-2.3.5-1.fc35

Read Time:4 Minute, 7 Second

FEDORA-2022-47d2e7da46

Packages in this update:

composer-2.3.5-1.fc35

Update description:

Version 2.3.5 – 2022-04-13

Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
Added warning when downloading a file with verify_peer[_name] disabled (#10722)
Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)
Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)
Fixed validate command checking the lock file even if the lock option is disabled (#10723)
Fixed detection of default branch name when it changed since a git repo was mirrored in cache dir (#10701)

Version 2.3.4 – 2022-04-07

Fixed the generated autoload.php to support running on PHP 5.6+ (down from 7.0+) and warn clearly on older PHP versions (#10714)
Fixed run-script –list flag regression (#10710)
Fixed curl downloader handling of DNS resolution failures to do an automatic retry (#10716)
Fixed script handling of external commands not setting the Path env correctly on windows (#10700)
Fixed various type errors (#10694, #10696, #10702, #10712, #10703)

Version 2.3.3 – 2022-04-01

Added –2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)
Added missing config.bitbucket-oauth in composer-schema.json
Fixed type errors in SvnDriver (#10681)
Fixed –version output to match the pre-2.3 one (#10684)
Fixed config/auth.json files not being validated against the composer-schema.json (#10685)
Fixed generation of autoload crashing if a package has a broken path (#10688)
Fixed GitDriver state issue when reusing old cache dirs and the default branch was renamed (#10687)
Updated semver, jsonlint deps for minor fixes
Removed dev-master=>dev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)

Version 2.3.2 – 2022-03-30

Fixed type error when running exec command (#10672)
Fixed endless loop in plugin activation prompt when input is not fully interactive yet appears to be (#10648)
Fixed type error in ComposerRepository (#10675)
Fixed issues loading platform packages where the version of a library cannot be established (#10631)

Version 2.3.1 – 2022-03-30

Fixed type error when HOME env var is not set (#10670)

Version 2.3.0 – 2022-03-30

Fixed many strict types errors (#10646, #10642, #10647, #10658, #10656, #10665, #10660, #10663, #10662)

Version 2.3.0-RC2 – 2022-03-20

Fixed invalid return value in ComposerRepository::findPackage (#10622)
Fixed many show command issues due to a flipped condition (#10623)
Fixed phpversion() handling when it returns false due to an extension defining no version (#10631)
Fixed remove command failing when no allow-plugin is defined in config (#10629)
Performance improvement in Composer bootstrapping (version guessing) when on a feature branch (#10632)

Version 2.3.0-RC1 – 2022-03-16

BC Break: the minimum PHP version is now 7.2.5+, use the Composer 2.2 LTS if you are stuck with an older PHP (#10343)
BC Break: added native parameter & return types to many internal APIs, we explicitly left the most extended/implemented symbols untouched but if this causes problems nonetheless please report it ASAP (#10547, #10561)
BC Break: added visibility to all constants, a few internal ones have been made private/protected, if this causes problems please report it ASAP (#10550)
BC Break: the minimum supported Symfony components version is now 5.4, this only affects you if you are requiring composer/composer directly however, which is generally frowned upon
Bumped composer-plugin-api to 2.3.0
Bumped bundled Symfony components from 2.8 to 5.4 🥳
Added declare(strict_types=1) to all the classes, which for sure could cause regressions in edge cases, please report with stack traces (#10567)
Added –patch-only to the outdated command to only show updates to patch versions and ignore new major/minor versions (#10589)
Added clickable links to various commands for terminals which support it (#10430)
Added ProcessExecutor ability to receive commands as arrays by (internals/plugin change only) (#10435)
Added abandoned flag to show/outdated commands JSON-formatted output (#10485)
Added config.reference option to path repositories to configure the way the reference is generated, and possibly reduce composer.lock conflicts (#10488)
Added automatic removal of allow-plugins rules when removing a plugin via the remove command (#10615)
Added COMPOSER_IGNORE_PLATFOR_REQ & COMPOSER_IGNORE_PLATFOR_REQS env vars to configure the equivalent flags (#10616)
Added support for Symfony 6.0 components
Added support for psr/log 3.x (#10454)
Fixed symlink creation in linux VM guest filesystems to be recognized by Windows (#10592)
Performance improvement in pool optimization step (#10585)

Version 2.2.10 – 2022-03-29

Fixed Bitbucket authorization detection due to API changes (#10657)
Fixed validate command warning about dist/source keys if defined (#10655)
Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)

Read More

composer-2.3.5-1.fc36

Read Time:4 Minute, 7 Second

FEDORA-2022-60ec715192

Packages in this update:

composer-2.3.5-1.fc36

Update description:

Version 2.3.5 – 2022-04-13

Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
Added warning when downloading a file with verify_peer[_name] disabled (#10722)
Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)
Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)
Fixed validate command checking the lock file even if the lock option is disabled (#10723)
Fixed detection of default branch name when it changed since a git repo was mirrored in cache dir (#10701)

Version 2.3.4 – 2022-04-07

Fixed the generated autoload.php to support running on PHP 5.6+ (down from 7.0+) and warn clearly on older PHP versions (#10714)
Fixed run-script –list flag regression (#10710)
Fixed curl downloader handling of DNS resolution failures to do an automatic retry (#10716)
Fixed script handling of external commands not setting the Path env correctly on windows (#10700)
Fixed various type errors (#10694, #10696, #10702, #10712, #10703)

Version 2.3.3 – 2022-04-01

Added –2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)
Added missing config.bitbucket-oauth in composer-schema.json
Fixed type errors in SvnDriver (#10681)
Fixed –version output to match the pre-2.3 one (#10684)
Fixed config/auth.json files not being validated against the composer-schema.json (#10685)
Fixed generation of autoload crashing if a package has a broken path (#10688)
Fixed GitDriver state issue when reusing old cache dirs and the default branch was renamed (#10687)
Updated semver, jsonlint deps for minor fixes
Removed dev-master=>dev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)

Version 2.3.2 – 2022-03-30

Fixed type error when running exec command (#10672)
Fixed endless loop in plugin activation prompt when input is not fully interactive yet appears to be (#10648)
Fixed type error in ComposerRepository (#10675)
Fixed issues loading platform packages where the version of a library cannot be established (#10631)

Version 2.3.1 – 2022-03-30

Fixed type error when HOME env var is not set (#10670)

Version 2.3.0 – 2022-03-30

Fixed many strict types errors (#10646, #10642, #10647, #10658, #10656, #10665, #10660, #10663, #10662)

Version 2.3.0-RC2 – 2022-03-20

Fixed invalid return value in ComposerRepository::findPackage (#10622)
Fixed many show command issues due to a flipped condition (#10623)
Fixed phpversion() handling when it returns false due to an extension defining no version (#10631)
Fixed remove command failing when no allow-plugin is defined in config (#10629)
Performance improvement in Composer bootstrapping (version guessing) when on a feature branch (#10632)

Version 2.3.0-RC1 – 2022-03-16

BC Break: the minimum PHP version is now 7.2.5+, use the Composer 2.2 LTS if you are stuck with an older PHP (#10343)
BC Break: added native parameter & return types to many internal APIs, we explicitly left the most extended/implemented symbols untouched but if this causes problems nonetheless please report it ASAP (#10547, #10561)
BC Break: added visibility to all constants, a few internal ones have been made private/protected, if this causes problems please report it ASAP (#10550)
BC Break: the minimum supported Symfony components version is now 5.4, this only affects you if you are requiring composer/composer directly however, which is generally frowned upon
Bumped composer-plugin-api to 2.3.0
Bumped bundled Symfony components from 2.8 to 5.4 🥳
Added declare(strict_types=1) to all the classes, which for sure could cause regressions in edge cases, please report with stack traces (#10567)
Added –patch-only to the outdated command to only show updates to patch versions and ignore new major/minor versions (#10589)
Added clickable links to various commands for terminals which support it (#10430)
Added ProcessExecutor ability to receive commands as arrays by (internals/plugin change only) (#10435)
Added abandoned flag to show/outdated commands JSON-formatted output (#10485)
Added config.reference option to path repositories to configure the way the reference is generated, and possibly reduce composer.lock conflicts (#10488)
Added automatic removal of allow-plugins rules when removing a plugin via the remove command (#10615)
Added COMPOSER_IGNORE_PLATFOR_REQ & COMPOSER_IGNORE_PLATFOR_REQS env vars to configure the equivalent flags (#10616)
Added support for Symfony 6.0 components
Added support for psr/log 3.x (#10454)
Fixed symlink creation in linux VM guest filesystems to be recognized by Windows (#10592)
Performance improvement in pool optimization step (#10585)

Version 2.2.10 – 2022-03-29

Fixed Bitbucket authorization detection due to API changes (#10657)
Fixed validate command warning about dist/source keys if defined (#10655)
Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)

Read More

composer-2.3.5-1.el9

Read Time:4 Minute, 8 Second

FEDORA-EPEL-2022-cfff8c1f5c

Packages in this update:

composer-2.3.5-1.el9

Update description:

Version 2.3.5 – 2022-04-13

Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
Added warning when downloading a file with verify_peer[_name] disabled (#10722)
Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)
Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)
Fixed validate command checking the lock file even if the lock option is disabled (#10723)
Fixed detection of default branch name when it changed since a git repo was mirrored in cache dir (#10701)

Version 2.3.4 – 2022-04-07

Fixed the generated autoload.php to support running on PHP 5.6+ (down from 7.0+) and warn clearly on older PHP versions (#10714)
Fixed run-script –list flag regression (#10710)
Fixed curl downloader handling of DNS resolution failures to do an automatic retry (#10716)
Fixed script handling of external commands not setting the Path env correctly on windows (#10700)
Fixed various type errors (#10694, #10696, #10702, #10712, #10703)

Version 2.3.3 – 2022-04-01

Added –2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)
Added missing config.bitbucket-oauth in composer-schema.json
Fixed type errors in SvnDriver (#10681)
Fixed –version output to match the pre-2.3 one (#10684)
Fixed config/auth.json files not being validated against the composer-schema.json (#10685)
Fixed generation of autoload crashing if a package has a broken path (#10688)
Fixed GitDriver state issue when reusing old cache dirs and the default branch was renamed (#10687)
Updated semver, jsonlint deps for minor fixes
Removed dev-master=>dev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)

Version 2.3.2 – 2022-03-30

Fixed type error when running exec command (#10672)
Fixed endless loop in plugin activation prompt when input is not fully interactive yet appears to be (#10648)
Fixed type error in ComposerRepository (#10675)
Fixed issues loading platform packages where the version of a library cannot be established (#10631)

Version 2.3.1 – 2022-03-30

Fixed type error when HOME env var is not set (#10670)

Version 2.3.0 – 2022-03-30

Fixed many strict types errors (#10646, #10642, #10647, #10658, #10656, #10665, #10660, #10663, #10662)

Version 2.3.0-RC2 – 2022-03-20

Fixed invalid return value in ComposerRepository::findPackage (#10622)
Fixed many show command issues due to a flipped condition (#10623)
Fixed phpversion() handling when it returns false due to an extension defining no version (#10631)
Fixed remove command failing when no allow-plugin is defined in config (#10629)
Performance improvement in Composer bootstrapping (version guessing) when on a feature branch (#10632)

Version 2.3.0-RC1 – 2022-03-16

BC Break: the minimum PHP version is now 7.2.5+, use the Composer 2.2 LTS if you are stuck with an older PHP (#10343)
BC Break: added native parameter & return types to many internal APIs, we explicitly left the most extended/implemented symbols untouched but if this causes problems nonetheless please report it ASAP (#10547, #10561)
BC Break: added visibility to all constants, a few internal ones have been made private/protected, if this causes problems please report it ASAP (#10550)
BC Break: the minimum supported Symfony components version is now 5.4, this only affects you if you are requiring composer/composer directly however, which is generally frowned upon
Bumped composer-plugin-api to 2.3.0
Bumped bundled Symfony components from 2.8 to 5.4 🥳
Added declare(strict_types=1) to all the classes, which for sure could cause regressions in edge cases, please report with stack traces (#10567)
Added –patch-only to the outdated command to only show updates to patch versions and ignore new major/minor versions (#10589)
Added clickable links to various commands for terminals which support it (#10430)
Added ProcessExecutor ability to receive commands as arrays by (internals/plugin change only) (#10435)
Added abandoned flag to show/outdated commands JSON-formatted output (#10485)
Added config.reference option to path repositories to configure the way the reference is generated, and possibly reduce composer.lock conflicts (#10488)
Added automatic removal of allow-plugins rules when removing a plugin via the remove command (#10615)
Added COMPOSER_IGNORE_PLATFOR_REQ & COMPOSER_IGNORE_PLATFOR_REQS env vars to configure the equivalent flags (#10616)
Added support for Symfony 6.0 components
Added support for psr/log 3.x (#10454)
Fixed symlink creation in linux VM guest filesystems to be recognized by Windows (#10592)
Performance improvement in pool optimization step (#10585)

Version 2.2.10 – 2022-03-29

Fixed Bitbucket authorization detection due to API changes (#10657)
Fixed validate command warning about dist/source keys if defined (#10655)
Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)

Read More

composer-2.2.12-1.fc34

Read Time:48 Second

FEDORA-2022-617a6df23e

Packages in this update:

composer-2.2.12-1.fc34

Update description:

Version 2.2.12 – 2022-04-13

Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)
Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)
Fixed validate command checking the lock file even if the lock option is disabled (#10723)

Version 2.2.11 – 2022-04-01

Added missing config.bitbucket-oauth in composer-schema.json
Added –2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)
Updated semver, jsonlint deps for minor fixes
Fixed generation of autoload crashing if a package has a broken path (#10688)
Removed dev-master=>dev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)

Read More

composer-1.10.26-1.el7

Read Time:36 Second

FEDORA-EPEL-2022-a970a526cb

Packages in this update:

composer-1.10.26-1.el7

Update description:

Version 1.10.26 – 2022-04-13

Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)

Version 1.10.25 – 2022-01-21

Fixed selfupdate on Windows + PHP 8.1 regression (#10446)

Version 1.10.24 – 2021-12-09

Added v1 deprecation warning when running install. Please make sure you upgrade to Composer 2, see https://blog.packagist.com/deprecating-composer-1-support/
Fixed PHP 8.1 compatibility
Fixed some more Windows CLI parameter escaping edge cases

Version 1.10.23 – 2021-10-05

Security: Fixed command injection vulnerability on Windows (GHSA-frqg-7g38-6gcf / CVE-2021-41116)

Read More

Microsoft Patch Tuesday 0-day Escalation of Privilege Vulnerability (CVE-2022-24521)

Read Time:2 Minute, 24 Second

Microsoft has released over 117 security fixes for this month’s April 2022 release. Besides the usual security fixes, there were two zero days of note and they are:CVE-2022-26904: This known zero-day flaw impacts the Windows User Profile Service. This is an EoP (elevation of privilege) vulnerability. However, exploitation has not been seen in the wild and requires a race condition to successfully exploit. This has a CVSS score of 7.0.CVE-2022-24521: This bug is another EoP issue found in the Windows Common Log File System (CLFS) Driver. This bug has been reported by Microsoft as being actively exploited in the wild. This vulnerability was reported by the NSA and Crowdstrike to Microsoft after being observed to have been used in active attacks. This has a CVSS score of 7.8.On a side note, another CLFS vulnerability (CVE-2022-24481) was disclosed but it was not reported to be a zero day.Why is this Significant?This is significant as CVE-2022-24521 was exploited as a 0-day in the wild. Exploiting CVE-2022-24521 provides elevated privileges to an attacker, and as such the security bug was likely leveraged in conjunction with an unspecified code execution vulnerability.How Widespread is the Attack that Leverages CVE-2022-24521?At this time, there is no information available as to how widespread the attack is. However, since the vulnerability was publicly disclosed, attacks that leverage CVE-2022-24521 may increase.Is there Any Other Vulnerability in the April Patch Tuesday that Requires Attention?Microsoft also released a patch for another escalation of privilege vulnerability (CVE-2022-24481). While the vulnerability was not reported nor observed to have been exploited in the wild, the Microsoft advisory states that exploitation is likely to occur. As such a patch for CVE-2022-24481 should also be applied as soon as possible. It is important to note that this CVE was not a zero day.Has Microsoft Released Security Advisories for CVE-2022-24521 and CVE-2022-24481?Yes, Microsoft has issued advisories for both vulnerabilities. See the Appendix for a link to “CVE-2022-24521: Windows Common Log File System Driver Elevation of Privilege Vulnerability” and “CVE-2022-24481: Windows Common Log File System Driver Elevation of Privilege Vulnerability”.Has Microsoft Released a Patch for CVE-2022-24521 and CVE-2022-24481?Yes, Microsoft has released a patch for both vulnerabilities on April 12nd, 2022 as part of regular MS Tuesday for the month.What is the Status of Coverage?FortiGuard Labs has released the following IPS signature for CVE-2022-24521 in version 20.295:MS.Windows.CVE-2022-24521.Privilege.Elevation (default action is set to pass)FortiGuard Labs has released the following IPS signature for CVE-2022-24481 in version 20.295:MS.Windows.CVE-2022-24481.Privilege.Elevation (default action is set to pass)

Read More

Industroyer2 Discovered Attacking Critical Ukrainian Verticals

Read Time:1 Minute, 59 Second

FortiGuard Labs is aware of new reports of Industroyer2, the successor to the Industroyer malware. First discovered in 2016, Industroyer was attributed to energy grid attacks in Kiev, Ukraine. The attack resulted in a loss of electricity for over an hour and was attributed to the Russian government (Sandworm). The latest discovery of Industroyer2 was discovered by researchers at ESET (who also discovered Industroyer in 2015).Industroyer is an Industrial Control System (ICS) specific malware that is modular and was discovered to have capabilities to control electrical substations and circuit breakers. It uses industrial communication protocols and techniques to conduct its operations via a global industry standard used by many critical infrastructure verticals.This latest variant of Industroyer2 was seen targeting ICS devices within electrical substations and then trying to erase any evidence of its attack by running CaddyWiper malware along with other Linux and Solaris (UNIX) wipers. It is currently unknown at this time how the threat actors were able to compromise and obtain initial access before entering into the ICS network. For further details on CaddyWiper, please see our Threat Signal here. This is a current news event, further details will be published when available.What are the Technical Details of this Attack?Industroyer2 is a Windows executable file and was executed via a scheduled task on April 8th. According to the analysis, it was compiled on March 23rd which suggests that the threat actors (Sandworm) behind this attack had planned it for over two weeks. Industroyer2 communicates over the IEC 60870-5-104 protocol, which is used by ICS/SCADA devices to communicate. This variant is different from the original Industroyer, which supported multiple ICS protocols.Caddywiper was deployed via a group policy object (GPO) to likely thwart any forensic recovery and analysis. It was found on machines that contained Industroyer2 installations. Other malware (ORCSHRED, SOLOSHRED, AWFULSHRED) found in these campaigns were destructive Linux and Solaris (UNIX) versions that acted as a worm and wiper and were deployed via shell scripts.What Operating Systems are Affected?Windows, Linux and Solaris systems are affected.What is the Severity of this Attack?Medium. This is limited specifically to targeted attacks.What is the Status of Coverage?FortiGuard Labs has the following (AV) signatures in place for publicly available samples as:W32/Agent.AECG!trData/KillDisk.NDA!trAll network IOC’s are blocked by the WebFiltering client.

Read More

CVE-2019-6834

Read Time:17 Second

A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected Product: Schneider Electric Software Update (SESU) SUT Service component (V2.1.1 to V2.3.0)

Read More