It was found that Pagure served files in user repositories from its raw endpoint with content types that instructed the browser to parse HTML files which could lead to Cross-Site Scripting attack. References: http://seclists.org/oss-sec/2016/q3/6 Upstream patch: https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77
Updates are available for Fedora and EPEL: pagure-2.2.2-1.fc24 pagure-2.2.2-1.el7 pagure-2.2.2-1.fc25
f23 and f22 have much older versions of Pagure and I don't know if the bug applies to them. Updating them to more recent versions could cause problems in theory, but I doubt anyone is self hosting with the f22 or f23 distro versions.
(In reply to Bruno Wolff III from comment #2) > f23 and f22 have much older versions of Pagure and I don't know if the bug > applies to them. It does actually :( > Updating them to more recent versions could cause problems > in theory, but I doubt anyone is self hosting with the f22 or f23 distro > versions. I share this thought :)
(In reply to Pierre-YvesChibon from comment #3) > (In reply to Bruno Wolff III from comment #2) > > f23 and f22 have much older versions of Pagure and I don't know if the bug > > applies to them. > > It does actually :( Do note that the patch in 2.2.2 is small enough that it can be applied to those too.