| Source | Link |
|---|---|
| bodhi | www.bodhi.fedoraproject.org/updates/FEDORA-2026-9b34a78e81 |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2026-9b34a78e81
#
include('compat.inc');
if (description)
{
script_id(320957);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/13");
script_xref(name:"FEDORA", value:"2026-9b34a78e81");
script_name(english:"Fedora 44 : composer (2026-9b34a78e81)");
script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the
FEDORA-2026-9b34a78e81 advisory.
### Version 2.10.1 - 2026-06-04
* Security: Fixed shell escaping when opening an editor (#12903)
* Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
* Fixed `source-fallback` also disabling fallbacks to dist install when source is the preferred install
method (#12888)
* Fixed source -> dist package updates wiping the .git dir without checking for local changes first
(#12912)
* Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
* Fixed warnings from Composer repositories being printed twice in some cases (#12907)
----
## Version 2.10.0
Read the [Composer 2.10 Release Announcement](https://blog.packagist.com/composer-2-10-release/) for more
details on the release highlights.
**Full Changelog**
- BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have
introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you
need this talk to us as we plan to remove it entirely in 2.11 (#12885)
- BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything
failed the audit (#12881)
- Security: Added dependency policies to block package versions where malware was detected on
update/install or report it with audit (#12786)
- Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
- Security: Fixed handling of uppercase schemes in URL validation that might have allowed https
requirement bypass (#12884)
- Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed
(2bcbfc3)
- Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
- Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
- Added support for temporary --with constraints with wildcards in the package name for the update command
(#12658)
- Added --strict-psr-autoloader flag to install and update commands (#12647)
- Added source-fallback config option to disable or enable source fallback on download failure (#12698)
- Added --require parameter to create-project to add new packages to the project as it gets installed
(#12738)
- Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
- Optimized PoolOptimizer memory usage (#12783)
- Optimized classmap dumping performance
- Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and
upgrade docs)
- Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
- Fixed GitHub API authentication errors not being visible to the user (#12737)
- Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
- Fixed warning being shown when lock file is disabled (#12760)
- Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
- Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
- Fixed audit command returning a success code when the vendor dir was not present (#12880)
Tenable has extracted the preceding description block directly from the Fedora security advisory.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2026-9b34a78e81");
script_set_attribute(attribute:"solution", value:
"Update the affected composer package.");
script_set_attribute(attribute:"risk_factor", value:"High");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/04");
script_set_attribute(attribute:"patch_publication_date", value:"2026/06/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:44");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:composer");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Fedora Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include('rpm2.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'Fedora' >!< os_product) audit(AUDIT_OS_NOT, 'Fedora');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');
if (! preg(pattern:"^44([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'Fedora 44', 'Fedora ' + os_version);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);
var constraints = [
{
'release': '44',
'pkgs': [
{'reference':'composer-2.10.1-1.fc44', 'rpm_spec_vers_cmp':TRUE}
]
}
];
var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');
var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
# Check that the target release is equal to the affected release
if (!empty_or_null(constraint['release'])){
if (constraint['release'] != os_release) continue;
}
if (!empty_or_null(constraint['sp'])){
if (constraint['sp'] != os_sp) continue;
}
foreach var pkg ( constraint['pkgs'] ) {
reference = NULL;
sp = NULL;
_cpu = NULL;
el_string = NULL;
rpm_spec_vers_cmp = NULL;
epoch = NULL;
allowmaj = NULL;
exists_check = NULL;
cves = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (reference &&
## (no known rpm to check OR known rpm_exists)
(!exists_check || rpm_exists(rpm:exists_check)) &&
rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'composer');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation