Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 08 Feb 2019 09:08:22 -0500
From: Randy Barlow <randy@...ctronsweatshop.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-7628: Pagure version 5.2 leaks API keys by e-mail

It was discovered that Pagure[4] 5.2 e-mails full API tokens in e-mails 
that are intended to remind users that the tokens are expiring soon[3].
The vulnerability was introduced in 5.2[0]. There was a partial fix
applied in [1], but that fix still leaked partial keys.

At the time of this writing, a fix is proposed at [2].

There is not yet a released version of Pagure with a fix, but Pagure
administrators can work around this issue by disabling the cron job. It
may be wise to delete all API tokens that may have been e-mailed after
disabling the cron job as a precautionary measure.


[0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe
[1] https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a
[2] https://pagure.io/pagure/pull-request/4254
[3] https://nvd.nist.gov/vuln/detail/CVE-2019-7628
[4] https://pagure.io/pagure

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.