Good Morning Everyone,
Yesterday I cut two new releases of pagure: 4.0.2 and 4.0.3.
These are important releases, 4.0.2 addresses a CVE that was reported earlier
in the day, it's not a "sky is falling" type of CVE but still nicer to have
Basically, anyone with an API key that allowed to modify project could create
git branches on any project.
This has been mitigated by having a dedicated ACL for creating git branches. So
if you have an API token that you use to create git branches you will need to
get a new one with this new ACL.
4.0.3 is correcting bugs introduced by backporting some more fixes to 4.0.2 than
just this CVE but not backporting enough, so 4.0.3 basically makes 4.0.2 work.
Here are the corresponding changelogs for these releases:
- Backport utility method from the 4.1 code to fix the 4.0.2 release
.. note:: This release fixes CVE-2018-1002151
- Fix showing the list of issues in a timely fashion (Patrick Uiterwijk)
- Fix stats for commits without author (Lubomír Sedlář)
- Explain how to fetch a pull request locally and some grammar fixes
- Drop the constraint on the requirement on straight.plugin but document it
- Fix the requirement on bcrypt, it's optional
- Make API endpoint for creating new git branch have its own ACL
All known pagure instance have been upgraded to 4.0.3
Show replies by date