Date: Mon, 4 Jul 2016 17:27:14 +0000 From: Patrick Uiterwijk <puiterwijk@...hat.com> To: oss-security@...ts.openwall.com Subject: [CVE-2016-1000007] Pagure: XSS in raw file endpoint CVE-2016-1000007: Pagure XSS in raw file endpoint Versions affected: 2.2.1 and earlier Fixed in versions: 2.2.2 Description: It was found that Pagure served files in user repositories from its raw endpoint with content types that instructed the browser to parse HTML files which could lead to Cross-Site Scripting attack. Mitigation: Users of Pagure should update to version 2.2.2 or later. Credit: This issue was discovered by Patrick Uiterwijk of Red Hat. Upstream patch: https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.