Description of the patch:
This update for php-composer2 fixes the following issues
- CVE-2026-40176: command injection via malicious Perforce repository definition (bsc#1262254).
- CVE-2026-40261: command injection via malicious Perforce source reference/url (bsc#1262255).
Changes for php-composer2:
- version update to 2.2.27 (align with upstream LTS version)
- Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do
not cause issues (246f807b, 246f807b, 246f807b)
- Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)
- Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
- Fixed issue handling paths with = in them on Windows (#11568)
- version 2.2.26 2025-12-30
- Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
- version 2.2.25 2024-12-11
- Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support
is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)
- Fixed issue on plugin upgrade when it defines multiple classes (#12226)
- Fixed duplicate errors appearing in the output depending on php settings (#12214)
- Fixed InstalledVersions returning duplicate data in some instances (#12225)
- version 2.2.24 2024-06-10
- Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
- Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
- Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
- Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
- Security: Fixed perforce argument escaping (3773f775)
- Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
- Security: Fixed Windows command...