Hi,

On Mon, Jul 4, 2016 at 2:39 PM, Pierre-Yves Chibon <[email protected]> wrote:
> Good Morning Everyone,
>
> This morning Patrick found a security bug in pagure. We fixed it and made a 
> new
> release: 2.2.2 with the fix.
>
> This is the corresponding changelog:
> * Mon Jul 04 2016 Pierre-Yves Chibon <[email protected]> - 2.2.2-1
> - Update to 2.2.2
> - Security fix release blocking all html related mimetype when displaying the
>   raw files and forces the browser to download them instead (Thanks to Patrick
>   Uiterwijk for finding this issue)

This resulted in a Cross-Site Scripting attack (XSS) vector.
The issue has been assigned CVE-2016-1000007.

>
> Prod and stg have been upgraded for it.
>
> If you are running your own pagure instance, make sure to pull/apply the
> following fix: 
> https://pagure.io/pagure/c/dbcc8abdde2e78acd6bae7fe5cc095294193686b
>
>
> Thanks for your attention,
>
> Pierre

Regards,
Patrick Uiterwijk
_______________________________________________
infrastructure mailing list
[email protected]
https://lists.fedoraproject.org/admin/lists/[email protected]

Reply via email to