openSUSE: 2021:1289-1 important: php-composer
Description
This update for php-composer fixes the following issues:
- Require php-mbstring as requested in boo#1187416
- Version 1.10.22
* Security: Fixed command injection vulnerability in
HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472), boo#1185376
- Version 1.10.21
* Fixed support for new GitHub OAuth token format
* Fixed processes silently ignoring the CWD when it does not exist
- Version 1.10.20
* Fixed exclude-from-classmap causing regex issues when having too many
paths
* Fixed compatibility issue with Symfony 4/5
- Version 1.10.17
* Fixed Bitbucket API authentication issue
* Fixed parsing of Composer 2 lock files breaking in some rare conditions
- Version 1.10.16
* Added warning to validate command for cases where packages provide/
replace a package that they also require
* Fixed JSON schema validation issue with PHPStorm
* Fixed symlink handling in archive command
- Version 1.10.15
* Fixed path repo version guessing issue
- Version 1.10.14
* Fixed version guesser to look at remote branches as well as local
ones
* Fixed path repositories version guessing to handle edge cases where
version is different from the VCS-guessed version
* Fixed COMPOSER env var causing issues when combined with the global
command
* Fixed a few issues dealing with PHP without openssl extension (not
recommended at all but sometimes needed for testing)
- Version 1.10.13
* Fixed regressions with old version validation
* Fixed invalid root aliases not being reported
- Version 1.10.12
* Fixed regressions with old version validation
- Version 1.10.11
* Fixed more PHP 8 compatibility issues
* Fixed regression in handling of CTRL-C when xdebug is loaded
* Fixed status handling of broken symlinks
- Version 1.10.10
* Fixed create-project not triggering events while installing the root
package
* Fixed PHP 8 compatibility issue
* Fixed self-update to avoid automatically upgrading to the next major
version once it becomes stable
- Version 1.10.9
* Fixed Bitbucket redirect loop when credentials are outdated
* Fixed GitLab auth prompt wording
* Fixed self-update handling of files requiring admin permissions to
write to on Windows (it now does a UAC prompt)
* Fixed parsing issues in funding.yml files
- Version 1.10.8
* Fixed compatibility issue with git being configured to show signatures
by default
* Fixed discarding of local changes when updating packages to include
untracked files
* Several minor fixes
- Version 1.10.7
* Fixed PHP 8 deprecations
* Fixed detection of pcntl_signal being in disabled_functions when
pcntl_async_signal is allowed
- Version 1.10.6
* Fixed version guessing to take composer-runtime-api and
composer-plugin-api requirements into account to avoid selecting
packages which require Composer 2
* Fixed package name validation to allow several dashes following each
other
* Fixed post-status-cmd script not firing when there were no changes to
be displayed
* Fixed composer-runtime-api support on Composer 1.x, the package is now
present as 1.0.0
* Fixed support for composer show --name-only --self
* Fixed detection of GitLab URLs when handling authentication in some
cases
- Version 1.10.5
* Fixed self-update on PHP <5.6, seriously please upgrade
* Fixed 1.10.2 regression with PATH resolution in scripts
- Version 1.10.4
* Fixed 1.10.2 regression in path symlinking with absolute path repos
- Version 1.10.3
* Fixed invalid --2 flag warning in self-update when no channel is
requested
- Version 1.10.2
* Added --1 flag to self-update command which can be added to automated
self-update runs to make sure it won't automatically jump to 2.0 once
that is released
* Fixed path repository symlinks being made relative when the repo url
is defined as absolute paths
* Fixed potential issues when using "composer ..." in scripts and
composer/composer was also required in the project
* Fixed 1.10.0 regression when downloading GitHub archives from non-API
URLs
* Fixed handling of malformed info in fund command
* Fixed Symfony5 compatibility issues in a few commands
- Version 1.10.1
* Fixed path repository warning on empty path when using wildcards
* Fixed superfluous warnings when generating optimized autoloaders
- Version 1.10.0
* Breaking: composer global exec ... now executes the process in the
current working directory instead of executing it in the global
directory.
* Warning: Added a warning when class names are being loaded by a PSR-4
or PSR-0 rule only due to classmap optimization, but would not
otherwise be autoloadable. Composer 2.0 will stop autoloading these
classes so make sure you fix your autoload configs.
* Added new funding key to composer.json to describe ways your package's
maintenance can be funded. This reads info from GitHub's FUNDING.yml
by default so better configure it there so it shows on GitHub and
Composer/Packagist
* Added composer fund command to show funding info of your dependencies
* Added bearer auth config to authenticate using Authorization: Bearer
Patch
Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1289=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2021-1289=1 - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2021-1289=1 - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2021-1289=1
Package List
- openSUSE Leap 15.2 (noarch): php-composer-1.10.22-lp152.2.3.1 - openSUSE Backports SLE-15-SP3 (noarch): php-composer-1.10.22-bp153.2.3.1 - openSUSE Backports SLE-15-SP2 (noarch): php-composer-1.10.22-bp152.2.3.1 - openSUSE Backports SLE-15-SP1 (noarch): php-composer-1.10.22-bp151.3.3.1
References
https://www.suse.com/security/cve/CVE-2021-29472.html https://bugzilla.suse.com/1185376 https://bugzilla.suse.com/1187416