-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 14 Jan 2025 23:14:24 +0000
Source: pagure
Architecture: source
Version: 5.14.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Rebecca N. Palmer <rebecca_palmer@zoho.com>
Changed-By: Rebecca N. Palmer <rebecca_palmer@zoho.com>
Closes: 1073117 1091383
Changes:
pagure (5.14.1+dfsg-1) unstable; urgency=medium
.
* New upstream release. Includes security fixes (Closes: #1091383):
- Do not allow reading or writing files outside the repository
via .. or symlink:
- view_issue_raw_file()
https://bugzilla.redhat.com/show_bug.cgi?id=2280726
- generate_archive() CVE-2024-47515
- _update_file_in_git()
https://bugzilla.redhat.com/show_bug.cgi?id=2280723
- Do not interpret filenames starting with - as git options
in log() / view_history_file().
https://bugzilla.redhat.com/show_bug.cgi?id=2315805
* Drop / refresh patches.
* Fix additional security issues:
- Javascript prototype pollution (probably non-exploitable).
- Quote non-escaping in HTML diffs.
* Adapt to newer versions of dependencies:
- Don't crash (many places).
- Keep markdown alignment, keep reporting empty commits as empty.
- Still possibly broken: plugins, dump and reload.
* Tests:
- Re-enable the build-time tests, using pytest.
- Enable Salsa CI and autopkgtest, default to a subset for speed.
- Don't crash when a test has no display name.
- Accept changed error messages.
- Skip code style checks.
- Don't assume being in the source repo (e.g. find templates).
- Clean up afterwards.
* Javascript:
- Minify with terser, copy if minification fails.
- Actually install the minified version (and fix symlinks).
- Switch back to Debian packaged libjs-jquery-atwho.
- Add missing licenses to d/copyright.
* d/watch: fix version duplication.
* Fix spelling and grammar.
* Bump Standards-Version to 4.7.0 (no changes needed).
* Set Rules-Requires-Root: no.
* New maintainer. (Closes: #1073117)
Checksums-Sha1:
fa90eaaf1b34af72634af5e6d034801a87d4bea6 3677 pagure_5.14.1+dfsg-1.dsc
7d4c152c1d5b0285c48139d24b267246ea588294 3903712 pagure_5.14.1+dfsg.orig.tar.xz
2d100bd1205d5fc6428a0e75d2721857e4fc3ec8 61620 pagure_5.14.1+dfsg-1.debian.tar.xz
b364ab85a470216a6aa9a21358e094c53766e931 7497 pagure_5.14.1+dfsg-1_source.buildinfo
Checksums-Sha256:
5c9a7f0090bd35bbc7beb44ec4da0fa33cfbb89c2a00ba2d7cd8cab772df2dc3 3677 pagure_5.14.1+dfsg-1.dsc
236341d456b0ce2a3fb74542a6d841f51ca6a956a7ec9f47e7495bd834b25ce2 3903712 pagure_5.14.1+dfsg.orig.tar.xz
4317077c94b76d60190605e895167cebc529682af0486cdac5ad0d040c10dc93 61620 pagure_5.14.1+dfsg-1.debian.tar.xz
c328e2fb1eb9faf713ecd0accda18f4d6a7e4d6b8571182023fda32c03b21c59 7497 pagure_5.14.1+dfsg-1_source.buildinfo
Files:
66bafdeff090c5ff9bb2aae3e4403094 3677 net optional pagure_5.14.1+dfsg-1.dsc
8923943d4ac25c514f9b38734952f589 3903712 net optional pagure_5.14.1+dfsg.orig.tar.xz
1f5880e9f274ec026edad52b6c475ece 61620 net optional pagure_5.14.1+dfsg-1.debian.tar.xz
12c262df2ec0aafaa1d7e860aa490cb3 7497 net optional pagure_5.14.1+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJMBAEBCgA2FiEEZ8sxEAXE7b4yF1MI3uUNDVZ+omYFAmeOBC0YHHJlYmVjY2Ff
cGFsbWVyQHpvaG8uY29tAAoJEN7lDQ1WfqJmx8QQAInXewY5qV1wUeXWaEyPO1+W
W3BcckLS9FCip+K6WjY5mmrWD0vnz0ozumR7vwwZq8NdL8MJUgBatY6Ry6fhFI9F
ITkp3APkq0RSMv+Zxf4hhu3rXm7gtXbkuvgGE6nRkynJFqJH+IqeGfw8gme7L0YU
eMISIqpSyQwpxhG2KlrFHjIXiIQcKJr1q8keqDgugRzIo0dlOHrS20iDMATQQJSp
Iv0igrgjQQ2MUAf0klmY6dTToU45auvex2bzbmm/R9G2tUQbFqwTp7+rdf7HhELg
sAG9QwUHj9MyUheNPxGGZsSs5PUnezNhk1eSLoYqztYxvguROxToL7PB8yO7qbAk
YnjjxDiLOK2rcHBI/XS0idKvEGw27vFy+6GjLQy34nJ0oz1ViEqd3E8dCjxIE/lb
jvNepMAAwh8b8Wdcq7PHg6XLsMo4XRs8FvwoKIz3nl4YL2muRTXu9zf08KmJpylI
1+4bGWQ7BrfEHZ29k8/SIrBa7b6iri5pIKnT8jIMIUASUObe7SDoh2W01v/B4Y7B
gYf9nKUSgaI3qcmZ6nsaTH566iSMCAf5sGuxriBASKnoBIlxpLpcVE/q+SJ6VgvI
moRnBFDE+TgQKeW10zbQafPETqAGZJzxP/k8+83/YHvLoReWJQLs7ypDfD1PY4RE
eQarsYKmMuE44dfzA5H/
=mY/N
-----END PGP SIGNATURE-----
Attachment:
pgpbmkxevauME.pgp
Description: PGP signature