-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 30 Nov 2025 02:01:38 +0100 Source: pagure Architecture: source Version: 5.11.3+dfsg-1+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Sergio Durigan Junior <[email protected]> Changed-By: Daniel Leidert <[email protected]> Closes: 1091383 Changes: pagure (5.11.3+dfsg-1+deb11u1) bullseye-security; urgency=medium . * Non-maintainer upload by the Debian LTS team. * d/control, d/rules: Use uglifyjs.terser to minimize JS. yui-compressor errors out for some unknown reason. * d/rules (override_dh_auto_test): Kill all remaining redis-server processes, or the build will stall. * d/patches/CVE-2024-4981.patch: Add to fix CVE-2024-4981. - The function _update_file_in_git() follows symbolic links in temporary clones. The fix is to bail out if a file path is outside the temp repo or inside the '.git/' folder to avoid data leak and unauthorized changes in files or git config. (closes: #1091383) * d/patches/CVE-2024-4982.patch: Add to fix CVE-2024-4982. - Fix path traversal in view_issue_raw_file(). (closes: #1091383) * d/patches/CVE-2024-47515.patch: Add to fix CVE-2024-47515. - The generate_archive() function follows symbolic links in temporary clones. The fix is to the add actual link rather than the target content to the zip archive. (closes: #1091383) * d/patches/CVE-2024-47516.patch: Add to fix CVE-2024-47516. - Fix an injection of additional options to the Git command-line during retrieval of the repository history to prevent remote code execution. (closes: #1091383) Checksums-Sha1: 792d94f8984cd1cff8fca0c5a2cffa65f2fcfad4 3673 pagure_5.11.3+dfsg-1+deb11u1.dsc 98bc08a4d05c960ff60236ab2188c656178495d2 3941836 pagure_5.11.3+dfsg.orig.tar.xz daa65fcf86c5970b8fed93755ba4ef76004d6569 26868 pagure_5.11.3+dfsg-1+deb11u1.debian.tar.xz 70174e8ea88a526da192f7adedbf0ff6d5e499cf 17532 pagure_5.11.3+dfsg-1+deb11u1_amd64.buildinfo Checksums-Sha256: 488b54cd26b0b846b4cc1fc6361e25e22959227a5c7002cfd876f6ee13a3937a 3673 pagure_5.11.3+dfsg-1+deb11u1.dsc 4f04ea823f10491d2457346af720764dae9176ede4a94525f3b90babc6a1403a 3941836 pagure_5.11.3+dfsg.orig.tar.xz 2f7d00cd597b40aace184404b5399989b5c3c7c87224eefd96fa49713a149e97 26868 pagure_5.11.3+dfsg-1+deb11u1.debian.tar.xz f077b6fcad848626ac66789c98afce807ef28cd12a6d7ce20568e0518f869f25 17532 pagure_5.11.3+dfsg-1+deb11u1_amd64.buildinfo Files: e2756c938468119c2bc779b9a4fc0b8a 3673 net optional pagure_5.11.3+dfsg-1+deb11u1.dsc 98e49bfeb02ae03e7b7a670b240e3c4d 3941836 net optional pagure_5.11.3+dfsg.orig.tar.xz f4ae8585700bdd8fdfb883e7b20cfcd7 26868 net optional pagure_5.11.3+dfsg-1+deb11u1.debian.tar.xz 2f73fb1b2d2cc4ddc8bd5ddcd68344a1 17532 net optional pagure_5.11.3+dfsg-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmks174ACgkQS80FZ8KW 0F2+1BAApT33Bw7zAT5h9lf5T2bcT+MUvMQF16sg2xnY5BxPqBCCc3zT6H8qY5si hzXNZRrFugLwrOwQrFUYg7ocfor868+1KtAHCehETaqg3vgzQZzFo81ODSMGKALt kghTEQTo3XCIWhAuZMngl/MnHlHSCR5JDG6kgbGHoT38Onu7bA+bjNE8d8c0OXIU T2qBZWteLbLg5Gm1Zx4g5ZdQu2tnowYW02BeOqUFT3i3UVzdAso3OMS41BnTTr/T AUv4e4JMPHqC8UGOeDf6nUvOgyFC71CMcVkSFGmBsMuCypwv/+jAKUNSdorAPdHZ AK4ZcgUxXSo16ZZ1ourmk4470xCDritPZvJp7tQv/xWDVwBMrdK2QP13K9zrYCn4 FvCZZfrTF8xaZl3oxBqg5CxjGwFuUjlKIwL7bf6fYgAbcCujLbKAQLHzD3rW7h5m q1a/8DB5lYXo4hxqOW4+4fRhu73vZ7w0yjEajgcAW0PvB+odS74tGdcCNmhpWSmt LM5/YFOBKhBzuzPj2lRBRnF8h8Y6HT7QxCjzxOvJ0wjMGO/eBf6LdTDktcGXCCMb 1n1LFe3SUZU6sB8LQavi6+VEDOnot9Y3JG1LqtdX8Xmoi0N/KvRmzDwzwXVlvjqe 0od02YmWME7lTMQp4ea92NofdL+d3yvVDpqws/ETLwTN6zE9dcI= =zHJo -----END PGP SIGNATURE-----
pgpozDkbgI0nX.pgp
Description: PGP signature
