Version 5.14.1+dfsg-7 of pagure is marked for autoremoval from testing on Thu 01 May 2025. It depends (transitively) on python-marshmallow, affected by #1100798. You should try to prevent the removal by fixing these RC bugs.
CVE-2024-47515:
A vulnerability was found in Pagure. Support of symbolic links during repository archiving of repositories allows the disclosure of local files. This flaw allows a malicious user to take advantage of the Pagure instance.
CVE-2024-47516:
A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance.
CVE-2024-47515:
A vulnerability was found in Pagure. Support of symbolic links during repository archiving of repositories allows the disclosure of local files. This flaw allows a malicious user to take advantage of the Pagure instance.
CVE-2024-47516:
A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance.
debian/patches: 3 patches with invalid metadata, 9 patches to forward upstream
high
Among the 42 debian patches
available in version 5.14.1+dfsg-7 of the package,
we noticed the following issues:
3 patches with
invalid metadata that ought to be fixed.
9 patches
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/p/pagure.png){kind=link}