-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Apr 2026 12:33:06 +0200 Source: composer Architecture: source Version: 2.5.5-1+deb12u4 Distribution: bookworm Urgency: medium Maintainer: Debian PHP PEAR Maintainers Changed-By: David Prévot Changes: composer (2.5.5-1+deb12u4) bookworm; urgency=medium . * Fix command injection via malicious Perforce source reference/url [CVE-2026-40261] * Fix ommand injection via malicious Perforce repository definition [CVE-2026-40176] * Fix remote Code Execution via web-accessible composer.phar [CVE-2023-43655] Checksums-Sha1: 850719837677af2463a4b37ba367d9c0dbdd5277 2391 composer_2.5.5-1+deb12u4.dsc 5fd92907014f33ddf3be657114149480b9b329eb 23424 composer_2.5.5-1+deb12u4.debian.tar.xz f7a681d3255ce96931e5f3b7a6bf8d80a416a8d8 10275 composer_2.5.5-1+deb12u4_amd64.buildinfo Checksums-Sha256: a3771087fd25596915128d9e8c5eb97a51863d7cf9398ba80e4b43c1f1be2cb5 2391 composer_2.5.5-1+deb12u4.dsc 2b7c3a1f867bc40161e5ca2b8c58df10eaf5e40f2d11febacd3729dd09961ddf 23424 composer_2.5.5-1+deb12u4.debian.tar.xz b921aa898eab48904e253eb1ec878804cceec7dcc652342df8eb4e0b49ce017a 10275 composer_2.5.5-1+deb12u4_amd64.buildinfo Files: c7709fa2466587c0903d6e6fcd18592e 2391 php optional composer_2.5.5-1+deb12u4.dsc ca9c7b4d2cf8cadc35e20d40a6dc46cd 23424 php optional composer_2.5.5-1+deb12u4.debian.tar.xz d03cbc7b4ae803bf244535748175e1d3 10275 php optional composer_2.5.5-1+deb12u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmn4QecSHHRhZmZpdEBk ZWJpYW4ub3JnAAoJEAWMHPlE9r08R2MH/iUotRDcFbgmKvyxDjh57cG4Qq0zYH3I d+ZozHAif542x0s3KgD+Q4AKkY8cTkuP9631uanW4uDWtYN9oQ5n3tdfBF6OHP9c 8oWSn2y6STazI6edFlRdOXl93olBIVxGj4e1HXiXw1KdrtE23rcQ+wnxAX2s23oz VGIFV+G3q0v/LcHRgMcv1Oyj3k0RvfB0FkB8YOJ9jkrr3Wp/23vy3vUywZ4OmkDE 3DPoZsfbJzHMNyb3s+sSAUccLLlc3vVBYanpF/LR7nmwT9/YgmjG4qRAYg9vFduP OkW31P/YKyP5cg0zrJbRVDf5q2feKtS6sjv47+fOtPIegOySI6WpGkY= =ZX2B -----END PGP SIGNATURE-----