[pkg-php-pear] Bug#1073931: composer: security update broke feature branches
David Prévot
taffit at debian.org
Fri Jun 21 08:38:02 BST 2024
Control: tags -1 confirmed
Hi,
Le Thu, Jun 20, 2024 at 01:59:17PM +0200, Heiko Przybyl a écrit :
> Package: composer
> Version: 2.0.9-2+deb11u3
> Severity: grave
> Justification: renders package unusable
> X-Debbugs-Cc: htto at users.noreply.github.com, team at security.debian.org
>
> Dear Maintainer,
>
> yesterday unattended-upgrades installed version 2.0.9-2+deb11u3 composer
[…]
> Simple reproducer: Run composer install on the checkout of the feature-branch of
> https://github.com/htto/debian-oldstable-composer
Thanks a lot for the simple PoC, I confirm I can reproduce it on
Bullseye (but not Bookworm). It unfortunately wasn’t caught in our
reduced CI (dropping some Git related tests because we don’t import the
Git repository in the package source).
Regards,
taffit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20240621/428340e2/attachment-0003.sig>
More information about the pkg-php-pear
mailing list