Good Morning Everyone,
Yesterday I cut two new releases of pagure: 4.0.2 and 4.0.3.
These are important releases, 4.0.2 addresses a CVE that was reported earlier in the day, it's not a "sky is falling" type of CVE but still nicer to have it fixed. Basically, anyone with an API key that allowed to modify project could create git branches on any project. This has been mitigated by having a dedicated ACL for creating git branches. So if you have an API token that you use to create git branches you will need to get a new one with this new ACL.
4.0.3 is correcting bugs introduced by backporting some more fixes to 4.0.2 than just this CVE but not backporting enough, so 4.0.3 basically makes 4.0.2 work.
Here are the corresponding changelogs for these releases:
4.0.3 (2018-05-14) ------------------
- Backport utility method from the 4.1 code to fix the 4.0.2 release
4.0.2 (2018-05-14) ------------------
.. note:: This release fixes CVE-2018-1002151
- Fix showing the list of issues in a timely fashion (Patrick Uiterwijk) - Fix stats for commits without author (Lubomír Sedlář) - Explain how to fetch a pull request locally and some grammar fixes (Todd Zullinger) - Drop the constraint on the requirement on straight.plugin but document it - Fix the requirement on bcrypt, it's optional - Make API endpoint for creating new git branch have its own ACL fixes CVE-2018-1002151
All known pagure instance have been upgraded to 4.0.3
Happy coding, Pierre
infrastructure@lists.fedoraproject.org