Hi, On Mon, Jul 4, 2016 at 2:39 PM, Pierre-Yves Chibon <pingou@xxxxxxxxxxxx> wrote: > Good Morning Everyone, > > This morning Patrick found a security bug in pagure. We fixed it and made a new > release: 2.2.2 with the fix. > > This is the corresponding changelog: > * Mon Jul 04 2016 Pierre-Yves Chibon <pingou@xxxxxxxxxxxx> - 2.2.2-1 > - Update to 2.2.2 > - Security fix release blocking all html related mimetype when displaying the > raw files and forces the browser to download them instead (Thanks to Patrick > Uiterwijk for finding this issue) This resulted in a Cross-Site Scripting attack (XSS) vector. The issue has been assigned CVE-2016-1000007. > > Prod and stg have been upgraded for it. > > If you are running your own pagure instance, make sure to pull/apply the > following fix: https://pagure.io/pagure/c/dbcc8abdde2e78acd6bae7fe5cc095294193686b > > > Thanks for your attention, > > Pierre Regards, Patrick Uiterwijk _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
