Project

General

Profile

Actions
Copy link

tickets #163988

closed

[jsegitz@suse.de: [thomas@chauchefoin.fr: Outdated Pagure instance at code.opensuse.org]]

Added by jsegitz@suse.de 12 days ago. Updated 9 days ago.

Status:
Resolved
Priority:
High
Assignee:
crameleon
Category:
Pagure
Target version:
-
Start date:
2024-07-15
Due date:
% Done:

0%

Estimated time:

Description

Hi,

autobuild sent me to you. Are you responsible for the Pagure installation?

Thanks,

----- Forwarded message from Johannes Segitz jsegitz@suse.de -----

Date: Mon, 15 Jul 2024 15:12:49 +0200
From: Johannes Segitz jsegitz@suse.de
To: autobuild@suse.de
Cc: security@suse.de
Subject: [thomas@chauchefoin.fr: Outdated Pagure instance at code.opensuse.org]

Hi Autobuild,

do you maintain the Pagure installation there? Or is that something for
IT/cybersecurity?

Thanks

----- Forwarded message from Thomas Chauchefoin thomas@chauchefoin.fr -----

Date: Fri, 12 Jul 2024 18:41:12 +0200
From: Thomas Chauchefoin thomas@chauchefoin.fr
To: security@suse.de
Subject: Outdated Pagure instance at code.opensuse.org

Hey,

I recently reported 4 critical vulnerabilities on Pagure, all fixed in Pagure 5.14.1. From https://pagure.io/pagure/blob/6b06ac585529c3087364a5ebe4fb9d7c20e3c872/f/doc/changelog.rst:

Security Fix:

  • Argument Injection in PagureRepo.log() rhbz#2277121 #5481 <https://pagure.io/pagure/pull-request/5481>_ (Thomas Chauchefoin)
  • CVE-2024-4982: Path traversal in view_issue_raw_file() rhbz#2279411 #5484 <https://pagure.io/pagure/pull-request/5484>_ (Thomas Chauchefoin and Dominik Wombacher)
  • CVE-2024-4981: update_file_in_git() follows symbolic links in temporary clones rhbz#2278745 #5483 <https://pagure.io/pagure/pull-request/5483> (Thomas Chauchefoin and Dominik Wombacher)
  • generate_archive() follows symbolic links in temporary clones rhbz#2280030 #5482 <https://pagure.io/pagure/pull-request/5482>_ (Thomas Chauchefoin and Dominik Wombacher)

According to what I'm seeing on the footer of code.opensuse.org, you are still running Pagure 5.13.3. I strongly suggest upgrading the instance to the latest version so you can benefit from these patches.

Best,
-Thomas

----- End forwarded message -----

Johannes

GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)

----- End forwarded message -----

Johannes

GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)

Files

signature.asc (833 Bytes) signature.asc jsegitz@suse.de, 2024-07-15 14:04
Actions
Copy link

Also available in: Atom PDF