UbuntuUpdates.org

Package "pagure"

Name: pagure

Description:

git-centered forge using pygit2
Latest version: 5.11.3+dfsg-2.1ubuntu0.2
Release: noble (24.04)
Level: security
Repository: universe
Homepage: https://pagure.io/pagure

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "pagure"

All arch deb package
APT INSTALL

Other versions of "pagure" in Noble

Repository Area Version
base universe 5.11.3+dfsg-2.1
updates universe 5.11.3+dfsg-2.1ubuntu0.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 5.11.3+dfsg-2.1ubuntu0.2 2026-02-02 06:07:46 UTC

  pagure (5.11.3+dfsg-2.1ubuntu0.2) noble-security; urgency=medium

  * SECURITY UPDATE: path traversal via symbolic links
    - debian/patches/CVE-2024-4981.patch: validate that the file paths are
      within temp repository and outside '.git/' folder to prevent data
      leaks and unauthorized file modifications
    - CVE-2024-4981

  * SECURITY UPDATE: Path traversal in view_issue_raw_file()
    - debian/patches/CVE-2024-4982.patch: use werkzeug.security.safe_join()
      instead of plain 'os.path.join()' to sanitize user-provided filename
    - CVE-2024-4982

  * SECURITY UPDATE: UNIX symbolic link following
    - debian/patches/CVE-2024-47515.patch: in case of symlinks, add actual
      link instead of target to the zip archive which avoids following of
      symlinks and inclusion of data from outside the repo
    - CVE-2024-47515

  * SECURITY UPDATE: argument injection in PagureRepo.log()
    - debian/patches/CVE-2024-47516.patch: prevent the injection of
      additional options to the git command-line by adding the
      `--end-of-option` flag before any user-controlled value
    - CVE-2024-47516

 -- Shishir Subedi <email address hidden> Mon, 26 Jan 2026 10:33:56 +0545
CVE-2024-4981 A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentio
CVE-2024-4982 A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could disco
CVE-2024-47515 A vulnerability was found in Pagure. Support of symbolic links during repository archiving of repositories allows the disclosure of local files. This
CVE-2024-47516 A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pa


About   -   Send Feedback to @ubuntu_updates