Version 5.14.1+dfsg-8 of pagure is marked for autoremoval from testing on Sat 01 Nov 2025. It depends (transitively) on libmongocrypt, affected by #1112313, #1113175. You should try to prevent the removal by fixing these RC bugs.
CVE-2024-4981:
A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.
CVE-2024-4982:
A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could discover secrets on the server.
CVE-2024-47515:
A vulnerability was found in Pagure. Support of symbolic links during repository archiving of repositories allows the disclosure of local files. This flaw allows a malicious user to take advantage of the Pagure instance.
CVE-2024-47516:
A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance.
CVE-2024-4981:
A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.
CVE-2024-4982:
A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could discover secrets on the server.
CVE-2024-47515:
A vulnerability was found in Pagure. Support of symbolic links during repository archiving of repositories allows the disclosure of local files. This flaw allows a malicious user to take advantage of the Pagure instance.
CVE-2024-47516:
A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance.
debian/patches: 3 patches with invalid metadata, 10 patches to forward upstream
high
Among the 43 debian patches
available in version 5.14.1+dfsg-8 of the package,
we noticed the following issues:
3 patches with
invalid metadata that ought to be fixed.
10 patches
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.