-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Apr 2026 12:33:06 +0200
Source: composer
Architecture: source
Version: 2.5.5-1+deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Changes:
composer (2.5.5-1+deb12u4) bookworm; urgency=medium
.
* Fix command injection via malicious Perforce source reference/url
[CVE-2026-40261]
* Fix ommand injection via malicious Perforce repository definition
[CVE-2026-40176]
* Fix remote Code Execution via web-accessible composer.phar
[CVE-2023-43655]
Checksums-Sha1:
850719837677af2463a4b37ba367d9c0dbdd5277 2391 composer_2.5.5-1+deb12u4.dsc
5fd92907014f33ddf3be657114149480b9b329eb 23424 composer_2.5.5-1+deb12u4.debian.tar.xz
f7a681d3255ce96931e5f3b7a6bf8d80a416a8d8 10275 composer_2.5.5-1+deb12u4_amd64.buildinfo
Checksums-Sha256:
a3771087fd25596915128d9e8c5eb97a51863d7cf9398ba80e4b43c1f1be2cb5 2391 composer_2.5.5-1+deb12u4.dsc
2b7c3a1f867bc40161e5ca2b8c58df10eaf5e40f2d11febacd3729dd09961ddf 23424 composer_2.5.5-1+deb12u4.debian.tar.xz
b921aa898eab48904e253eb1ec878804cceec7dcc652342df8eb4e0b49ce017a 10275 composer_2.5.5-1+deb12u4_amd64.buildinfo
Files:
c7709fa2466587c0903d6e6fcd18592e 2391 php optional composer_2.5.5-1+deb12u4.dsc
ca9c7b4d2cf8cadc35e20d40a6dc46cd 23424 php optional composer_2.5.5-1+deb12u4.debian.tar.xz
d03cbc7b4ae803bf244535748175e1d3 10275 php optional composer_2.5.5-1+deb12u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmn4QecSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08R2MH/iUotRDcFbgmKvyxDjh57cG4Qq0zYH3I
d+ZozHAif542x0s3KgD+Q4AKkY8cTkuP9631uanW4uDWtYN9oQ5n3tdfBF6OHP9c
8oWSn2y6STazI6edFlRdOXl93olBIVxGj4e1HXiXw1KdrtE23rcQ+wnxAX2s23oz
VGIFV+G3q0v/LcHRgMcv1Oyj3k0RvfB0FkB8YOJ9jkrr3Wp/23vy3vUywZ4OmkDE
3DPoZsfbJzHMNyb3s+sSAUccLLlc3vVBYanpF/LR7nmwT9/YgmjG4qRAYg9vFduP
OkW31P/YKyP5cg0zrJbRVDf5q2feKtS6sjv47+fOtPIegOySI6WpGkY=
=ZX2B
-----END PGP SIGNATURE-----
