Learn more about these different git repos.
Other Git URLs
It was discovered that Pagure was leaking API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is possible for man-in-the-middle attacks to read these e-mails and gain access to Pagure on the behalf of other users. The vulnerability was introduced in [0], which was released with Pagure 5.2.
As of the time of this writing, there is not a released Pagure with a fix for this issue.
[0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe
Metadata Update from @pingou: - Issue private status set to: True
This is a duplicate of https://pagure.io/pagure/issue/4230 in practice
This issue can be worked around by disabling the cron job. After disabling the cron job, it would be wise to delete any API keys you think may have been e-mailed. You can delete them all to be safe. Users will have to generate new ones if you take this step.
This was fixed in the PR: #4254
Metadata Update from @pingou: - Issue private status set to: False (was: True) - Issue set to the milestone: 5.3 - Issue tagged with: bug
Metadata Update from @pingou: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.