Bug#1091383: pagure: CVE-2024-47515

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1091383: pagure: CVE-2024-47515
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 25 Dec 2024 08:09:28 +0100
Message-id: <[🔎] 173511056837.3418383.1622382420726660508.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1091383@bugs.debian.org

Source: pagure
Version: 5.11.3+dfsg-4
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 5.11.3+dfsg-2.1
Control: found -1 5.11.3+dfsg-1

Hi,

The following vulnerability was published for pagure.

CVE-2024-47515[0]:
| A vulnerability was found in Pagure. Support of symbolic links
| during repository archiving of repositories allows the disclosure of
| local files. This flaw allows a malicious user to take advantage of
| the Pagure instance.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-47515
    https://www.cve.org/CVERecord?id=CVE-2024-47515
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2315806
[2] https://pagure.io/pagure/c/9b715170008bdc1dd273f7c28debe782a8f7969e

Regards,
Salvatore

Reply to:

Follow-Ups:
- Processed: pagure: CVE-2024-47515
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: pagure: CVE-2024-47515
Next by Date: Bug#1090207: davfs2: FTBFS: configure: error: could not find neon
Previous by thread: yotta is marked for autoremoval from testing
Next by thread: Processed: pagure: CVE-2024-47515
Index(es):
- Date
- Thread