Composer version 1.4.13 appears to be missing security patch
cianevans opened this issue · comments
cianevans commented
When downloading latest version (v1.4.13) via composer it does not seem to contain the security patch for "Disallow symlinks to out-of-path filenames" (cde4605).
This seems to download the following package:
https://codeload.github.com/pear/Archive_Tar/legacy.zip/2b87b41178cc6d4ad3cba678a46a1cae49786011
Steps to reproduce:
- 'composer require pear/archive_tar'
- The package.xml states the version as 1.4.13, however if you look in Archive/Tar.php at line 2126 it is missing the code changes above.
Fortiguard blocks this download due to the follwing threat:
https://www.fortiguard.com/encyclopedia/ips/49786
Michiel Rook commented
Hi @cianevans I'm rolling a new release next week, then this should be sorted as well. Thanks for reporting.
Michiel Rook commented
1.4.14 was just released, this should be fixed now.