Date: Fri, 08 Feb 2019 09:08:22 -0500 From: Randy Barlow <randy@...ctronsweatshop.com> To: oss-security@...ts.openwall.com Subject: CVE-2019-7628: Pagure version 5.2 leaks API keys by e-mail It was discovered that Pagure 5.2 e-mails full API tokens in e-mails that are intended to remind users that the tokens are expiring soon. The vulnerability was introduced in 5.2. There was a partial fix applied in , but that fix still leaked partial keys. At the time of this writing, a fix is proposed at . There is not yet a released version of Pagure with a fix, but Pagure administrators can work around this issue by disabling the cron job. It may be wise to delete all API tokens that may have been e-mailed after disabling the cron job as a precautionary measure.  https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe  https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a  https://pagure.io/pagure/pull-request/4254  https://nvd.nist.gov/vuln/detail/CVE-2019-7628  https://pagure.io/pagure Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.