Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted composer 2.9.7-1 (source) into unstable
Date: Wed, 15 Apr 2026 09:04:14 +0000
Signed by: David Prévot <taffit@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 08:28:37 +0200
Source: composer
Architecture: source
Version: 2.9.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Changes:
 composer (2.9.7-1) unstable; urgency=medium
 .
   [ Jordi Boggiano ]
   * Update docs for COMPOSER_NO_SECURITY_BLOCKING to include that it is
     supported in install command
   * Fix inconsistent treatment of SingleCommandApplication script commands
     (#12758)
   * Fix usage of insecure 3DES cipher suites when curl is disabled
   * Fix fossil driver identifier validation for getFileContent
   * Convert perforce util to use array process args to avoid injections
   * Fixes custom script command aliases regression when a script is called a
     substring of a composer command
   * Release 2.9.7
     + Fix command injection via malicious Perforce source reference/url
       [CVE-2026-40176]
     + Fix command injection via malicious Perforce repository definition
       [CVE-2026-40261]
 .
   [ Yanick Witschi ]
   * Parse HTML in extension info when not on CLI (#12735)
 .
   [ Denis ]
   * Relay GitHub API error messages to the user on auth failures (#12737)
 .
   [ mamazu ]
   * Improving the error message when package version can't be parsed (#12743)
 .
   [ Jorg Adam Sowa ]
   * Fix credentials persisting in git mirror .git/config after clone or failed
     update
 .
   [ Stephan Vock ]
   * Fix perforce unescaped user input in queryP4User shell commands
   * Fix git/hg driver identifier validation for getChangeDate when using
     method programmatically
   * Fix fossil update call when calling it with valid branch names like
     --dry-run or --latest
 .
   [ David Prévot ]
   * Update standards version to 4.7.4
   * Track 2.9
Checksums-Sha1:
 151f89728a6d22f2f02a37fad62d16a053436a8b 2313 composer_2.9.7-1.dsc
 d1a09f737d3ff80804aaa75af2f6ad702efe1722 719708 composer_2.9.7.orig.tar.xz
 a4cc17c50382e4cdeb6c927efcb229bd547b0849 52956 composer_2.9.7-1.debian.tar.xz
 af9124aad1abc152b62dbf3336293bee46d7fdf8 9582 composer_2.9.7-1_amd64.buildinfo
Checksums-Sha256:
 d1558cdc7920e0cfac9ff4b76a499a46cc693a97c08007b1d951fdfec4b265cc 2313 composer_2.9.7-1.dsc
 e3d85121be38a92b1da708fb4ec06487ab1c252140193944f791d7dc3c6271ae 719708 composer_2.9.7.orig.tar.xz
 d95e4bbc4d1c03d743e40fa9265182cd0ebaa728298d9ac6f25a7c7a04846f16 52956 composer_2.9.7-1.debian.tar.xz
 820de2ef9fa42306c8c60cd0ae8a8a079d17688ba39d7f2489ad5e23ccaac5b0 9582 composer_2.9.7-1_amd64.buildinfo
Files:
 3368aee7082b2a9b0dc254719fd94d44 2313 php optional composer_2.9.7-1.dsc
 19d51a55f11dcbdb054c795ee178f0be 719708 php optional composer_2.9.7.orig.tar.xz
 665a37860391c34e44daebc1b5f78789 52956 php optional composer_2.9.7-1.debian.tar.xz
 e26a6ddb960f59894745bd1bca050981 9582 php optional composer_2.9.7-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmnfUQoSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08UW4H/RTiy1A8lU+lqGIlI8Xo/UW+rDM1daVa
KwzVDb3DX94hF/7eR+2TBsD3Br6EgRS9cl+Z7Ku6b+F6Hzhcaz2EU33r7kqz6s7y
REG7rn5KeupBZbf3OAgCTp7p4LbQZUgq4Gp3gUk+/dxdcLSBgUmi/e0Xg3J7U2Z8
D0EtLDqmY2VA88nI29szu84Ds4jsPZ8DWzDmEjPvc1VJRkyKXXr6JPQCEJ3Wh3yk
kOP+42i+MwaGJGPK3OOlTclvy7t5riS205WwPAckejv9ygOEYvddbJOIiiT1pRMp
6rpNvyNA6iZPhUeqRUFDz495Aax1gkUR0pv1b0lOrwiIk/h5kXDdq7Y=
=Ecqg
-----END PGP SIGNATURE-----
News for package composer
