tickets #163988
closed[jsegitz@suse.de: [thomas@chauchefoin.fr: Outdated Pagure instance at code.opensuse.org]]
0%
Description
Hi,
autobuild sent me to you. Are you responsible for the Pagure installation?
Thanks,
----- Forwarded message from Johannes Segitz jsegitz@suse.de -----
Date: Mon, 15 Jul 2024 15:12:49 +0200
From: Johannes Segitz jsegitz@suse.de
To: autobuild@suse.de
Cc: security@suse.de
Subject: [thomas@chauchefoin.fr: Outdated Pagure instance at code.opensuse.org]
Hi Autobuild,
do you maintain the Pagure installation there? Or is that something for
IT/cybersecurity?
Thanks
----- Forwarded message from Thomas Chauchefoin thomas@chauchefoin.fr -----
Date: Fri, 12 Jul 2024 18:41:12 +0200
From: Thomas Chauchefoin thomas@chauchefoin.fr
To: security@suse.de
Subject: Outdated Pagure instance at code.opensuse.org
Hey,
I recently reported 4 critical vulnerabilities on Pagure, all fixed in Pagure 5.14.1. From https://pagure.io/pagure/blob/6b06ac585529c3087364a5ebe4fb9d7c20e3c872/f/doc/changelog.rst:
Security Fix:
- Argument Injection in PagureRepo.log() rhbz#2277121
#5481 <https://pagure.io/pagure/pull-request/5481>_ (Thomas Chauchefoin) - CVE-2024-4982: Path traversal in view_issue_raw_file() rhbz#2279411
#5484 <https://pagure.io/pagure/pull-request/5484>_ (Thomas Chauchefoin and Dominik Wombacher) - CVE-2024-4981: update_file_in_git() follows symbolic links in temporary clones rhbz#2278745
#5483 <https://pagure.io/pagure/pull-request/5483>(Thomas Chauchefoin and Dominik Wombacher) - generate_archive() follows symbolic links in temporary clones rhbz#2280030
#5482 <https://pagure.io/pagure/pull-request/5482>_ (Thomas Chauchefoin and Dominik Wombacher)
According to what I'm seeing on the footer of code.opensuse.org, you are still running Pagure 5.13.3. I strongly suggest upgrading the instance to the latest version so you can benefit from these patches.
Best,
-Thomas
----- End forwarded message -----
Johannes¶
GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
----- End forwarded message -----
Johannes¶
GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
Files
Updated by crameleon 12 days ago
- Category set to Pagure
- Status changed from New to In Progress
- Assignee set to crameleon
Hi,
thanks for reporting.
Some of these patches have already been implemented even before the official release on our Pagure instance at code.opensuse.org (due to upstream involvement we find out in advance), but we did not fully update the package yet to also reflect the new version number.
I will validate if all of the mentioned points have been considered and let you know shortly.
Best,
Georg
@wombelix: Can we do the full/proper package update soon or is there something to consider?
Updated by crameleon 12 days ago
- Priority changed from Normal to High
Seems only one of them is:
- https://pagure.io/fork/wombelix/pagure/c/affcebf0f99281ef29f6d8b976e77fadf0ea96c5 => already implemented
- https://pagure.io/fork/wombelix/pagure/c/9e1a5c49cfbc730fd361d87eeb6be74fca6cf6a7 => missing
- https://pagure.io/fork/wombelix/pagure/c/2803a7ac66636153865e9238e48018b90ace0999 => missing
- https://pagure.io/fork/wombelix/pagure/c/c6ced5d61d1987da23d8e6b5aa8a03379f1f3691 => missing
So we should work on this more urgently.
Updated by crameleon 12 days ago
- Status changed from In Progress to Blocked
Submitted to maintenance: https://build.opensuse.org/request/show/1187577.
Updated by wombelix 9 days ago
Sorry about the delay, the new release works without issues on pagure.io and src.fedoraproject.org for example. Should be low risk to update code.o.o as well and fixes critical CVEs. I see that the OBS request is to push pagure into SLE 15 SP6 backports. I was under the impression we use https://build.opensuse.org/package/show/openSUSE:infrastructure:pagure/pagure ? And there the updated package seem to be already available.
Updated by crameleon 9 days ago
- Status changed from Blocked to In Progress
Hi @wombelix,
thanks for confirming!
Yes, we use it from the official repositories (which are our preferred source unless something is not available there or if we do not want to wait for a maintenance request). I already wanted to delete o:i:pagure to avoid confusion. The official update should make it soon: https://build.opensuse.org/request/show/1188373 - but I will update from o:i:pagure for now and then switch back and clean the project up when ready.