It was discovered that Composer did not properly sanitize URLs for Mercurial repositories in the root composer.json and package source download URLs. A remote attacker could possibly use this issue to execute arbitrary code.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "binaries": [ { "binary_version": "1.0.0~beta2-1ubuntu0.1~esm1", "binary_name": "composer" } ] }
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "binaries": [ { "binary_version": "1.6.3-1ubuntu0.1~esm1", "binary_name": "composer" } ] }
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "binaries": [ { "binary_version": "1.10.1-1ubuntu0.1~esm1", "binary_name": "composer" } ] }