Category Archives: Advisories

composer-2.7.7-1.el9

Read Time:1 Minute, 9 Second

FEDORA-EPEL-2024-01755f0acd

Packages in this update:

composer-2.7.7-1.el9

Update description:

Version 2.7.7 2024-06-10

Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
Fixed perforce argument escaping (3773f775)
Fixed handling of zip bombs when extracting archives (de5f7e32)
Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)
Fixed ability for config command to remove autoload keys (#11967)
Fixed empty type support in init command (#11999)
Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
Fixed regression showing network errors on PHP <8.1 (#11974)
Fixed some color bleed from a few warnings (#11972)

Read More

composer-2.7.7-1.fc40

Read Time:1 Minute, 8 Second

FEDORA-2024-9ed24c98cd

Packages in this update:

composer-2.7.7-1.fc40

Update description:

Version 2.7.7 2024-06-10

Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
Fixed perforce argument escaping (3773f775)
Fixed handling of zip bombs when extracting archives (de5f7e32)
Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)
Fixed ability for config command to remove autoload keys (#11967)
Fixed empty type support in init command (#11999)
Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
Fixed regression showing network errors on PHP <8.1 (#11974)
Fixed some color bleed from a few warnings (#11972)

Read More

composer-2.7.7-1.fc39

Read Time:1 Minute, 8 Second

FEDORA-2024-bb55f8476a

Packages in this update:

composer-2.7.7-1.fc39

Update description:

Version 2.7.7 2024-06-10

Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
Fixed perforce argument escaping (3773f775)
Fixed handling of zip bombs when extracting archives (de5f7e32)
Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)
Fixed ability for config command to remove autoload keys (#11967)
Fixed empty type support in init command (#11999)
Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
Fixed regression showing network errors on PHP <8.1 (#11974)
Fixed some color bleed from a few warnings (#11972)

Read More

ZDI-24-598: (0Day) Microsoft Windows Incorrect Permission Assignment Information Disclosure Vulnerability

Read Time:20 Second

This vulnerability allows local attackers to disclose sensitive information or to create a denial-of-service condition on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Furthermore, the vulnerable behavior occurs only in certain hardware configurations. The ZDI has assigned a CVSS rating of 7.7.

Read More

ZDI-24-599: Adobe Substance 3D Stager SKP File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Substance 3D Stager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-34115.

Read More

DSA-5708-1 cyrus-imapd – security update

Read Time:36 Second

Damian Poddebniak discovered that the Cyrus IMAP server didn’t restrict
memory allocation for some command arguments which may result in denial
of service. This update backports new config directives which allow to
configure limits, additional details can be found at:

https://www.cyrusimap.org/3.6/imap/download/release-notes/3.6/x/3.6.5.html

These changes are too intrusive to be backported to the version of
Cyrus in the oldstable distribution (bullseye). If the IMAP server is used
by untrusted users an update to Debian stable/bookworm is recommended.
In addition the version of cyrus-imapd in bullseye-backports will be
updated with a patch soon.

https://security-tracker.debian.org/tracker/DSA-5708-1

Read More

USN-6825-1: ADOdb vulnerabilities

Read Time:31 Second

It was discovered that the PDO driver in ADOdb was incorrectly handling
string quotes. A remote attacker could possibly use this issue to
perform SQL injection attacks. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-7405)

It was discovered that ADOdb was incorrectly handling GET parameters in
test.php. A remote attacker could possibly use this issue to execute
cross-site scripting (XSS) attacks. This issue only affected Ubuntu
16.04 LTS. (CVE-2016-4855)

Emmet Leahy discovered that ADOdb was incorrectly handling string quotes
in PostgreSQL connections. A remote attacker could possibly use this issue
to bypass authentication. (CVE-2021-3850)

Read More