+++ This bug was initially created as a clone of Bug #1673983 +++ It was discovered that Pagure[4] sends full API tokens in e-mails that are intended to remind users that the tokens are expiring soon[3]. The vulnerability was introduced in 5.2[0]. There was a partial fix applied in [1], but that fix still leaked partial keys. At the time of this writing, a fix is proposed at [2]. There is not yet a released version of Pagure with a fix, but Pagure administrators can work around this issue by disabling the cron job. It may be wise to delete all API tokens that may have been e-mailed after disabling the cron job as a precautionary measure. [0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe [1] https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a [2] https://pagure.io/pagure/pull-request/4254 [3] https://nvd.nist.gov/vuln/detail/CVE-2019-7628 [4] https://pagure.io/pagure
pagure-5.3-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4e72b179e4
pagure-5.3-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4e72b179e4
pagure-5.3-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.