Home / mailingsPDF  

[USN-7984-1] Pagure vulnerabilities

Posted on 04 February 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-7984-1
January 29, 2026

pagure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Pagure.

Software Description:
- pagure: A git-centered forge using pygit2

Details:

Thomas Chauchefoin discovered that Pagure incorrectly handled symbolic
links in Git repositories. A remote attacker could possibly use this
issue to cause Pagure to expose files outside the intended repository
boundaries. (CVE-2024-4981)

Thomas Chauchefoin discovered that Pagure did not properly sanitize path
inputs. A remote attacker could possibly use this issue to read arbitrary
files. (CVE-2024-4982)

Thomas Chauchefoin discovered that Pagure incorrectly handled symbolic
links during repository archiving. A remote attacker could possibly use
this issue to disclose local files on the server. (CVE-2024-47515)

Thomas Chauchefoin discovered that Pagure incorrectly handled certain
inputs. A remote attacker could possibly use this issue to execute
arbitrary code on the server. (CVE-2024-47516)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
pagure 5.11.3+dfsg-2.1ubuntu0.2

Ubuntu 22.04 LTS
pagure 5.11.3+dfsg-1ubuntu0.1

Ubuntu 20.04 LTS
pagure 5.8.1+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7984-1
CVE-2024-47515, CVE-2024-47516, CVE-2024-4981, CVE-2024-4982

Package Information:
https://launchpad.net/ubuntu/+source/pagure/5.11.3+dfsg-2.1ubuntu0.2
https://launchpad.net/ubuntu/+source/pagure/5.11.3+dfsg-1ubuntu0.1

--===============6151007624983136357==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :