Bug 1353562 (CVE-2016-1000007)
Summary: | CVE-2016-1000007 pagure: XSS in raw file endpoint | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bruno, pingou, puiterwijk |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pagure 2.2.2 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-07 13:07:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Prpič
2016-07-07 13:06:31 UTC
Updates are available for Fedora and EPEL: pagure-2.2.2-1.fc24 pagure-2.2.2-1.el7 pagure-2.2.2-1.fc25 f23 and f22 have much older versions of Pagure and I don't know if the bug applies to them. Updating them to more recent versions could cause problems in theory, but I doubt anyone is self hosting with the f22 or f23 distro versions. (In reply to Bruno Wolff III from comment #2) > f23 and f22 have much older versions of Pagure and I don't know if the bug > applies to them. It does actually :( > Updating them to more recent versions could cause problems > in theory, but I doubt anyone is self hosting with the f22 or f23 distro > versions. I share this thought :) (In reply to Pierre-YvesChibon from comment #3) > (In reply to Bruno Wolff III from comment #2) > > f23 and f22 have much older versions of Pagure and I don't know if the bug > > applies to them. > > It does actually :( Do note that the patch in 2.2.2 is small enough that it can be applied to those too. |