tickets #163988
closed[jsegitz@suse.de: [thomas@chauchefoin.fr: Outdated Pagure instance at code.opensuse.org]]
0%
Description
Hi,
autobuild sent me to you. Are you responsible for the Pagure installation?
Thanks,
----- Forwarded message from Johannes Segitz jsegitz@suse.de -----
Date: Mon, 15 Jul 2024 15:12:49 +0200
From: Johannes Segitz jsegitz@suse.de
To: autobuild@suse.de
Cc: security@suse.de
Subject: [thomas@chauchefoin.fr: Outdated Pagure instance at code.opensuse.org]
Hi Autobuild,
do you maintain the Pagure installation there? Or is that something for
IT/cybersecurity?
Thanks
----- Forwarded message from Thomas Chauchefoin thomas@chauchefoin.fr -----
Date: Fri, 12 Jul 2024 18:41:12 +0200
From: Thomas Chauchefoin thomas@chauchefoin.fr
To: security@suse.de
Subject: Outdated Pagure instance at code.opensuse.org
Hey,
I recently reported 4 critical vulnerabilities on Pagure, all fixed in Pagure 5.14.1. From https://pagure.io/pagure/blob/6b06ac585529c3087364a5ebe4fb9d7c20e3c872/f/doc/changelog.rst:
Security Fix:
- Argument Injection in PagureRepo.log() rhbz#2277121
#5481 <https://pagure.io/pagure/pull-request/5481>
_ (Thomas Chauchefoin) - CVE-2024-4982: Path traversal in view_issue_raw_file() rhbz#2279411
#5484 <https://pagure.io/pagure/pull-request/5484>
_ (Thomas Chauchefoin and Dominik Wombacher) - CVE-2024-4981: update_file_in_git() follows symbolic links in temporary clones rhbz#2278745
#5483 <https://pagure.io/pagure/pull-request/5483>
(Thomas Chauchefoin and Dominik Wombacher) - generate_archive() follows symbolic links in temporary clones rhbz#2280030
#5482 <https://pagure.io/pagure/pull-request/5482>
_ (Thomas Chauchefoin and Dominik Wombacher)
According to what I'm seeing on the footer of code.opensuse.org, you are still running Pagure 5.13.3. I strongly suggest upgrading the instance to the latest version so you can benefit from these patches.
Best,
-Thomas
----- End forwarded message -----
Johannes¶
GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
----- End forwarded message -----
Johannes¶
GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
Files