openSUSE Security Update: Security update for php-composer______________________________________________________________________________Announcement ID: openSUSE-SU-2021:1289-1Rating: importantReferences: #1185376 #1187416 Cross-References: CVE-2021-29472CVSS scores: CVE-2021-29472 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HAffected Products: openSUSE Leap 15.2 openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP2 openSUSE Backports SLE-15-SP1______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available.Description: This update for php-composer fixes the following issues: - Require php-mbstring as requested in boo#1187416 - Version 1.10.22 * Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472), boo#1185376 - Version 1.10.21 * Fixed support for new GitHub OAuth token format * Fixed processes silently ignoring the CWD when it does not exist - Version 1.10.20 * Fixed exclude-from-classmap causing regex issues when having too many paths * Fixed compatibility issue with Symfony 4/5 - Version 1.10.17 * Fixed Bitbucket API authentication issue * Fixed parsing of Composer 2 lock files breaking in some rare conditions - Version 1.10.16 * Added warning to validate command for cases where packages provide/ replace a package that they also require * Fixed JSON schema validation issue with PHPStorm * Fixed symlink handling in archive command - Version 1.10.15 * Fixed path repo version guessing issue - Version 1.10.14 * Fixed version guesser to look at remote branches as well as local ones * Fixed path repositories version guessing to handle edge cases where version is different from the VCS-guessed version * Fixed COMPOSER env var causing issues when combined with the global command * Fixed a few issues dealing with PHP without openssl extension (not recommended at all but sometimes needed for testing) - Version 1.10.13 * Fixed regressions with old version validation * Fixed invalid root aliases not being reported - Version 1.10.12 * Fixed regressions with old version validation - Version 1.10.11 * Fixed more PHP 8 compatibility issues * Fixed regression in handling of CTRL-C when xdebug is loaded * Fixed status handling of broken symlinks - Version 1.10.10 * Fixed create-project not triggering events while installing the root package * Fixed PHP 8 compatibility issue * Fixed self-update to avoid automatically upgrading to the next major version once it becomes stable - Version 1.10.9 * Fixed Bitbucket redirect loop when credentials are outdated * Fixed GitLab auth prompt wording * Fixed self-update handling of files requiring admin permissions to write to on Windows (it now does a UAC prompt) * Fixed parsing issues in funding.yml files - Version 1.10.8 * Fixed compatibility issue with git being configured to show signatures by default * Fixed discarding of local changes when updating packages to include untracked files * Several minor fixes - Version 1.10.7 * Fixed PHP 8 deprecations * Fixed detection of pcntl_signal being in disabled_functions when pcntl_async_signal is allowed - Version 1.10.6 * Fixed version guessing to take composer-runtime-api and composer-plugin-api requirements into account to avoid selecting packages which require Composer 2 * Fixed package name validation to allow several dashes following each other * Fixed post-status-cmd script not firing when there were no changes to be displayed * Fixed composer-runtime-api support on Composer 1.x, the package is now present as 1.0.0 * Fixed support for composer show --name-only --self * Fixed detection of GitLab URLs when handling authentication in some cases - Version 1.10.5 * Fixed self-update on PHP …