UbuntuUpdates.org

Package "pagure-webhook"

Name: pagure-webhook

Description:

git-centered forge using pygit2 - web-hook server
Latest version: 5.11.3+dfsg-1ubuntu0.1
Release: jammy (22.04)
Level: updates
Repository: universe
Head package: pagure
Homepage: https://pagure.io/pagure

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "pagure-webhook"

All arch deb package
APT INSTALL

Other versions of "pagure-webhook" in Jammy

Repository Area Version
base universe 5.11.3+dfsg-1
security universe 5.11.3+dfsg-1ubuntu0.1

Changelog

Version: 5.11.3+dfsg-1ubuntu0.1 2026-02-02 09:07:51 UTC

  pagure (5.11.3+dfsg-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: path traversal via symbolic links
    - debian/patches/CVE-2024-4981.patch: validate that the file paths are
      within temp repository and outside '.git/' folder to prevent data
      leaks and unauthorized file modifications
    - CVE-2024-4981

  * SECURITY UPDATE: Path traversal in view_issue_raw_file()
    - debian/patches/CVE-2024-4982.patch: use werkzeug.security.safe_join()
      instead of plain 'os.path.join()' to sanitize user-provided filename
    - CVE-2024-4982

  * SECURITY UPDATE: UNIX symbolic link following
    - debian/patches/CVE-2024-47515.patch: in case of symlinks, add actual
      link instead of target to the zip archive which avoids following of
      symlinks and inclusion of data from outside the repo
    - CVE-2024-47515

  * SECURITY UPDATE: argument injection in PagureRepo.log()
    - debian/patches/CVE-2024-47516.patch: prevent the injection of
      additional options to the git command-line by adding the
      `--end-of-option` flag before any user-controlled value

 -- Shishir Subedi <email address hidden> Wed, 28 Jan 2026 08:26:18 +0545
CVE-2024-4981 A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentio
CVE-2024-4982 A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could disco
CVE-2024-47515 A vulnerability was found in Pagure. Support of symbolic links during repository archiving of repositories allows the disclosure of local files. This
CVE-2024-47516 A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pa


About   -   Send Feedback to @ubuntu_updates