Bug 1673985

Summary: CVE-2019-7628: Pagure version 5.2 leaks API keys by e-mail [fedora-29]
Product: [Fedora] Fedora Reporter: Randy Barlow <rbarlow>
Component: pagureAssignee: Pierre-YvesChibon <pingou>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: bruno, ngompa13, pingou, security-response-team, vivekanand1101
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: pagure-5.3-1.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: CVE-2019-7628 Environment:
Last Closed: 2019-02-24 02:32:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1673983    

Description Randy Barlow 2019-02-08 16:18:10 UTC 
+++ This bug was initially created as a clone of Bug #1673983 +++

It was discovered that Pagure[4] sends full API tokens in e-mails 
that are intended to remind users that the tokens are expiring soon[3].
The vulnerability was introduced in 5.2[0]. There was a partial fix
applied in [1], but that fix still leaked partial keys.

At the time of this writing, a fix is proposed at [2].

There is not yet a released version of Pagure with a fix, but Pagure
administrators can work around this issue by disabling the cron job. It
may be wise to delete all API tokens that may have been e-mailed after
disabling the cron job as a precautionary measure.


[0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe
[1] https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a
[2] https://pagure.io/pagure/pull-request/4254
[3] https://nvd.nist.gov/vuln/detail/CVE-2019-7628
[4] https://pagure.io/pagure
Comment 1 Fedora Update System 2019-02-22 15:14:08 UTC 
pagure-5.3-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4e72b179e4
Comment 2 Fedora Update System 2019-02-23 02:04:02 UTC 
pagure-5.3-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4e72b179e4
Comment 3 Fedora Update System 2019-02-24 02:32:47 UTC 
pagure-5.3-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.