Bug 27487 - pagure new security issue CVE-2019-11556
Summary: pagure new security issue CVE-2019-11556
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-29 17:15 CET by David Walser
Modified: 2021-04-02 14:45 CEST (History)
2 users (show)

See Also:
Source RPM: pagure-5.5-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-10-29 17:15:08 CET
openSUSE has issued an advisory today (October 29):
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00066.html

The issue is fixed upstream in 5.6.
Comment 1 David Walser 2020-10-29 17:16:28 CET
Fixed by Neal in openSUSE in this commit:
https://build.opensuse.org/request/show/839353

Status comment: (none) => Fixed upstream in 5.6
Assignee: bugsquad => ngompa13

Comment 2 Neal Gompa 2020-11-24 20:04:35 CET
I've uploaded a fixed version to updates-testing for Mageia 7. This has been fixed in Cauldron for a while now, so there was nothing to do there...

Suggested advisory:
========================

Updated pagure packages fix security vulnerabilities:

Pagure before 5.6 allows XSS via the templates/blame.html blame view.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11556
https://bugzilla.suse.com/show_bug.cgi?id=1176987
https://pagure.io/pagure/c/31a0d2950ed409550074ca52ba492f9b87ec3318
========================

Updated packages in core/updates_testing:
========================
pagure-5.5-1.1.mga7
pagure-theme-pagureio-5.5-1.1.mga7
pagure-theme-srcfpo-5.5-1.1.mga7
pagure-theme-chameleon-5.5-1.1.mga7
pagure-milters-5.5-1.1.mga7
pagure-ev-5.5-1.1.mga7
pagure-webhook-5.5-1.1.mga7
pagure-ci-5.5-1.1.mga7
pagure-logcom-5.5-1.1.mga7
pagure-loadjson-5.5-1.1.mga7
pagure-mirror-5.5-1.1.mga7


Source RPMs: 
pagure-5.5-1.1.mga7.src.rpm
Nicolas Lécureuil 2021-03-04 19:35:59 CET

Assignee: ngompa13 => qa-bugs
CC: (none) => mageia

David Walser 2021-03-04 22:46:16 CET

Status comment: Fixed upstream in 5.6 => (none)

Comment 3 Herman Viaene 2021-04-02 14:45:48 CEST
MGA7-64 MATE on Peaq C1011
No installation issues.
No previous updates, so looking for info, found https://pagure.io/pagure.
Seems like a lot of fun for knowleadgable people.
Just tried to launch from CLI, but trouble:
$ pagure-admin 
Using configuration file `/etc/pagure/pagure.cfg`
Error: 'Namespace' object has no attribute 'func'
ERROR:root:Generic error catched:
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/pagure/cli/admin.py", line 1034, in main
    args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.