Composer issue: CVE-2024-24821
Bug #2052999 reported by
Lee Willis
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| composer (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
On Jammy, the latest version of composer is 2.2.6.
$ apt policy composer
composer:
Installed: 2.2.6-2ubuntu4
Candidate: 2.2.6-2ubuntu4
Version table:
*** 2.2.6-2ubuntu4 500
500 http://
100 /var/lib/
There is a CVE for composer for all versions prior to 2.7: https:/
Fixes related to this are not included in the current release as far as I can tell, so composer should be updated to the current release (v2.7.1 at time of writing), or relevant changes backported to v2.2.6 if that makes more sense.
$ lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Revision history for this message
| Eduardo Barretto (ebarretto) wrote | #1 |
| tags: | added: community-security |
| information type: | Private Security → Public Security |
| Changed in composer (Ubuntu): | |
| status: | New → Confirmed |
To post a comment you must log in.
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/