[ubuntu/jammy-updates] pagure 5.11.3+dfsg-1ubuntu0.1 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Mon Feb 2 05:58:29 UTC 2026
pagure (5.11.3+dfsg-1ubuntu0.1) jammy-security; urgency=medium
* SECURITY UPDATE: path traversal via symbolic links
- debian/patches/CVE-2024-4981.patch: validate that the file paths are
within temp repository and outside '.git/' folder to prevent data
leaks and unauthorized file modifications
- CVE-2024-4981
* SECURITY UPDATE: Path traversal in view_issue_raw_file()
- debian/patches/CVE-2024-4982.patch: use werkzeug.security.safe_join()
instead of plain 'os.path.join()' to sanitize user-provided filename
- CVE-2024-4982
* SECURITY UPDATE: UNIX symbolic link following
- debian/patches/CVE-2024-47515.patch: in case of symlinks, add actual
link instead of target to the zip archive which avoids following of
symlinks and inclusion of data from outside the repo
- CVE-2024-47515
* SECURITY UPDATE: argument injection in PagureRepo.log()
- debian/patches/CVE-2024-47516.patch: prevent the injection of
additional options to the git command-line by adding the
`--end-of-option` flag before any user-controlled value
Date: 2026-01-28 04:08:10.732660+00:00
Changed-By: Shishir Subedi <shishirsub10 at gmail.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/pagure/5.11.3+dfsg-1ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the jammy-changes
mailing list