-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Apr 2026 10:50:08 +0200 Source: composer Architecture: source Version: 2.8.8-1+deb13u2 Distribution: trixie Urgency: medium Maintainer: Debian PHP PEAR Maintainers Changed-By: David Prévot Changes: composer (2.8.8-1+deb13u2) trixie; urgency=medium . * Fix command injection via malicious Perforce repository definition [CVE-2026-40261] * Fix command injection via malicious Perforce source reference/url [CVE-2026-40176] Checksums-Sha1: 1e2d219d81728f1d503c9f418777d4637e3b0031 2254 composer_2.8.8-1+deb13u2.dsc 5e9ceefe39a6d7b7ad9bafda14a2a271580dbf4d 51980 composer_2.8.8-1+deb13u2.debian.tar.xz b415b80db0761e7498ca7dde62ced54f431a76fc 9984 composer_2.8.8-1+deb13u2_amd64.buildinfo Checksums-Sha256: 9d47f7954a15c316f7be18471af6db9de0e3b804de76606b587690e11bccf54a 2254 composer_2.8.8-1+deb13u2.dsc ae8a81fdb0ced1ade2a33ba5b36f535e5067870393110dccd3675b5d61c557a2 51980 composer_2.8.8-1+deb13u2.debian.tar.xz 5a1aaad30189b23c80b7f4af0e9f88573d7ebacef478182ad168090f26b42fcf 9984 composer_2.8.8-1+deb13u2_amd64.buildinfo Files: acc48f0795772295d6d1f9dd98568ccd 2254 php optional composer_2.8.8-1+deb13u2.dsc c6a8c17f21ff20ac853bc629bff12bfc 51980 php optional composer_2.8.8-1+deb13u2.debian.tar.xz c79ccc69b6ea47a589f165e8a5ee3416 9984 php optional composer_2.8.8-1+deb13u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmn4QegSHHRhZmZpdEBk ZWJpYW4ub3JnAAoJEAWMHPlE9r08aAAH/AzOkHmOJA2KxOqKndSAO7Ht+zKKY+j5 1kNMgvhxzx4CMz4SLuJl4Q9MHJmCJ9wbvwobGhT9wkcEb6UvdkOHRFLeeHB39pcv eEDr1mxL5E/iOdqeQVHX2XnfdYonC5+AZsWsApoRcDfd6mg1RMUql3E/IuDXzAum yEbvr04l918B7OKC3SrgmV6sBzV6Lwrj4TrHw2wEwdYzIv4X8CWDsd0WGzk0pqgH XuCuxSK23IuOQPb3jgYtJRCagjeYFOpYv6nSAYRBVdRbOYwTA6JTkCo4vJRT1Khf bDAxBTGZ5ufsdqaKRWUFQJlVQVl5njK/lewzEHvlfozhXWEJiTNMWTI= =/MU9 -----END PGP SIGNATURE-----