-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Apr 2026 10:50:08 +0200
Source: composer
Architecture: source
Version: 2.8.8-1+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Changes:
composer (2.8.8-1+deb13u2) trixie; urgency=medium
.
* Fix command injection via malicious Perforce repository definition
[CVE-2026-40261]
* Fix command injection via malicious Perforce source reference/url
[CVE-2026-40176]
Checksums-Sha1:
1e2d219d81728f1d503c9f418777d4637e3b0031 2254 composer_2.8.8-1+deb13u2.dsc
5e9ceefe39a6d7b7ad9bafda14a2a271580dbf4d 51980 composer_2.8.8-1+deb13u2.debian.tar.xz
b415b80db0761e7498ca7dde62ced54f431a76fc 9984 composer_2.8.8-1+deb13u2_amd64.buildinfo
Checksums-Sha256:
9d47f7954a15c316f7be18471af6db9de0e3b804de76606b587690e11bccf54a 2254 composer_2.8.8-1+deb13u2.dsc
ae8a81fdb0ced1ade2a33ba5b36f535e5067870393110dccd3675b5d61c557a2 51980 composer_2.8.8-1+deb13u2.debian.tar.xz
5a1aaad30189b23c80b7f4af0e9f88573d7ebacef478182ad168090f26b42fcf 9984 composer_2.8.8-1+deb13u2_amd64.buildinfo
Files:
acc48f0795772295d6d1f9dd98568ccd 2254 php optional composer_2.8.8-1+deb13u2.dsc
c6a8c17f21ff20ac853bc629bff12bfc 51980 php optional composer_2.8.8-1+deb13u2.debian.tar.xz
c79ccc69b6ea47a589f165e8a5ee3416 9984 php optional composer_2.8.8-1+deb13u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmn4QegSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08aAAH/AzOkHmOJA2KxOqKndSAO7Ht+zKKY+j5
1kNMgvhxzx4CMz4SLuJl4Q9MHJmCJ9wbvwobGhT9wkcEb6UvdkOHRFLeeHB39pcv
eEDr1mxL5E/iOdqeQVHX2XnfdYonC5+AZsWsApoRcDfd6mg1RMUql3E/IuDXzAum
yEbvr04l918B7OKC3SrgmV6sBzV6Lwrj4TrHw2wEwdYzIv4X8CWDsd0WGzk0pqgH
XuCuxSK23IuOQPb3jgYtJRCagjeYFOpYv6nSAYRBVdRbOYwTA6JTkCo4vJRT1Khf
bDAxBTGZ5ufsdqaKRWUFQJlVQVl5njK/lewzEHvlfozhXWEJiTNMWTI=
=/MU9
-----END PGP SIGNATURE-----
