[ubuntu/noble-updates] pagure 5.11.3+dfsg-2.1ubuntu0.2 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Mon Feb 2 05:58:30 UTC 2026
pagure (5.11.3+dfsg-2.1ubuntu0.2) noble-security; urgency=medium
* SECURITY UPDATE: path traversal via symbolic links
- debian/patches/CVE-2024-4981.patch: validate that the file paths are
within temp repository and outside '.git/' folder to prevent data
leaks and unauthorized file modifications
- CVE-2024-4981
* SECURITY UPDATE: Path traversal in view_issue_raw_file()
- debian/patches/CVE-2024-4982.patch: use werkzeug.security.safe_join()
instead of plain 'os.path.join()' to sanitize user-provided filename
- CVE-2024-4982
* SECURITY UPDATE: UNIX symbolic link following
- debian/patches/CVE-2024-47515.patch: in case of symlinks, add actual
link instead of target to the zip archive which avoids following of
symlinks and inclusion of data from outside the repo
- CVE-2024-47515
* SECURITY UPDATE: argument injection in PagureRepo.log()
- debian/patches/CVE-2024-47516.patch: prevent the injection of
additional options to the git command-line by adding the
`--end-of-option` flag before any user-controlled value
- CVE-2024-47516
Date: 2026-01-27 05:38:18.455133+00:00
Changed-By: Shishir Subedi <shishirsub10 at gmail.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/pagure/5.11.3+dfsg-2.1ubuntu0.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the noble-changes
mailing list