Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted pagure 5.11.3+dfsg-1+deb11u1 (source) into oldoldstable-security
Date: Mon, 01 Dec 2025 00:00:23 +0000
Signed by: Daniel Leidert <dleidert@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 30 Nov 2025 02:01:38 +0100
Source: pagure
Architecture: source
Version: 5.11.3+dfsg-1+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Sergio Durigan Junior <sergiodj@debian.org>
Changed-By: Daniel Leidert <dleidert@debian.org>
Closes: 1091383
Changes:
 pagure (5.11.3+dfsg-1+deb11u1) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS team.
   * d/control, d/rules: Use uglifyjs.terser to minimize JS. yui-compressor
     errors out for some unknown reason.
   * d/rules (override_dh_auto_test): Kill all remaining redis-server processes,
     or the build will stall.
   * d/patches/CVE-2024-4981.patch: Add to fix CVE-2024-4981.
     - The function _update_file_in_git() follows symbolic links in temporary
       clones. The fix is to bail out if a file path is outside the temp repo or
       inside the '.git/' folder to avoid data leak and unauthorized changes in
       files or git config. (closes: #1091383)
   * d/patches/CVE-2024-4982.patch: Add to fix CVE-2024-4982.
     - Fix path traversal in view_issue_raw_file(). (closes: #1091383)
   * d/patches/CVE-2024-47515.patch: Add to fix CVE-2024-47515.
     - The generate_archive() function follows symbolic links in temporary
       clones. The fix is to the add actual link rather than the target content
       to the zip archive. (closes: #1091383)
   * d/patches/CVE-2024-47516.patch: Add to fix CVE-2024-47516.
     - Fix an injection of additional options to the Git command-line during
       retrieval of the repository history to prevent remote code execution.
       (closes: #1091383)
Checksums-Sha1:
 792d94f8984cd1cff8fca0c5a2cffa65f2fcfad4 3673 pagure_5.11.3+dfsg-1+deb11u1.dsc
 98bc08a4d05c960ff60236ab2188c656178495d2 3941836 pagure_5.11.3+dfsg.orig.tar.xz
 daa65fcf86c5970b8fed93755ba4ef76004d6569 26868 pagure_5.11.3+dfsg-1+deb11u1.debian.tar.xz
 70174e8ea88a526da192f7adedbf0ff6d5e499cf 17532 pagure_5.11.3+dfsg-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
 488b54cd26b0b846b4cc1fc6361e25e22959227a5c7002cfd876f6ee13a3937a 3673 pagure_5.11.3+dfsg-1+deb11u1.dsc
 4f04ea823f10491d2457346af720764dae9176ede4a94525f3b90babc6a1403a 3941836 pagure_5.11.3+dfsg.orig.tar.xz
 2f7d00cd597b40aace184404b5399989b5c3c7c87224eefd96fa49713a149e97 26868 pagure_5.11.3+dfsg-1+deb11u1.debian.tar.xz
 f077b6fcad848626ac66789c98afce807ef28cd12a6d7ce20568e0518f869f25 17532 pagure_5.11.3+dfsg-1+deb11u1_amd64.buildinfo
Files:
 e2756c938468119c2bc779b9a4fc0b8a 3673 net optional pagure_5.11.3+dfsg-1+deb11u1.dsc
 98e49bfeb02ae03e7b7a670b240e3c4d 3941836 net optional pagure_5.11.3+dfsg.orig.tar.xz
 f4ae8585700bdd8fdfb883e7b20cfcd7 26868 net optional pagure_5.11.3+dfsg-1+deb11u1.debian.tar.xz
 2f73fb1b2d2cc4ddc8bd5ddcd68344a1 17532 net optional pagure_5.11.3+dfsg-1+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmks174ACgkQS80FZ8KW
0F2+1BAApT33Bw7zAT5h9lf5T2bcT+MUvMQF16sg2xnY5BxPqBCCc3zT6H8qY5si
hzXNZRrFugLwrOwQrFUYg7ocfor868+1KtAHCehETaqg3vgzQZzFo81ODSMGKALt
kghTEQTo3XCIWhAuZMngl/MnHlHSCR5JDG6kgbGHoT38Onu7bA+bjNE8d8c0OXIU
T2qBZWteLbLg5Gm1Zx4g5ZdQu2tnowYW02BeOqUFT3i3UVzdAso3OMS41BnTTr/T
AUv4e4JMPHqC8UGOeDf6nUvOgyFC71CMcVkSFGmBsMuCypwv/+jAKUNSdorAPdHZ
AK4ZcgUxXSo16ZZ1ourmk4470xCDritPZvJp7tQv/xWDVwBMrdK2QP13K9zrYCn4
FvCZZfrTF8xaZl3oxBqg5CxjGwFuUjlKIwL7bf6fYgAbcCujLbKAQLHzD3rW7h5m
q1a/8DB5lYXo4hxqOW4+4fRhu73vZ7w0yjEajgcAW0PvB+odS74tGdcCNmhpWSmt
LM5/YFOBKhBzuzPj2lRBRnF8h8Y6HT7QxCjzxOvJ0wjMGO/eBf6LdTDktcGXCCMb
1n1LFe3SUZU6sB8LQavi6+VEDOnot9Y3JG1LqtdX8Xmoi0N/KvRmzDwzwXVlvjqe
0od02YmWME7lTMQp4ea92NofdL+d3yvVDpqws/ETLwTN6zE9dcI=
=zHJo
-----END PGP SIGNATURE-----
News for package pagure
