ALAS-2024-650

Amazon Linux 2023 Security Advisory: ALAS-2024-650
Advisory Release Date: 2024-07-03 22:13 Pacific
Advisory Updated Date: 2024-07-10 13:30 Pacific

Severity: Important

References: CVE-2024-35241
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting. (CVE-2024-35241)

Affected Packages:

composer

Issue Correction:
Run dnf update composer --releasever 2023.5.20240708 to update your system.

New Packages:

noarch:
    composer-2.5.8-2.amzn2023.0.3.noarch

src:
    composer-2.5.8-2.amzn2023.0.3.src

Additional References

Red Hat: CVE-2024-35241

Mitre: CVE-2024-35241

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-650

Additional References