Debian 11: Pagure Critical Issues DLA-4390-1 CVE-2024-4981 CVE-2024-4982
debian lts
December 1, 2025
Multiple vulnerabilities have been discovered in Pagure, a Git-centered code hosting system (forge)
Topics Covered
Summary
Multiple vulnerabilities have been discovered in Pagure, a Git-centered
code hosting system (forge).
CVE-2024-4981
The function _update_file_in_git() follows symbolic links in
temporary clones. The fix is to bail out if a file path is outside
the temp repo or inside the '.git/' folder to avoid data leak and
unauthorized changes in files or git config.
CVE-2024-4982
Path traversal in view_issue_raw_file().
CVE-2024-47515
The generate_archive() function follows symbolic links in temporary
clones. The fix is to the add actual link rather than the target
content to the zip archive.
CVE-2024-47516
Fix an injection of additional options to the Git command-line
during retrieval of the repository history to prevent remote code
execution.
For Debian 11 bullseye, these problems have been fixed in version
5.11.3+dfsg-1+deb11u1.
We recommend that you upgrade your pagure packages.
For the detailed security status of pagure please refer to
its security tracker page at:
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: pagure
Version: 5.11.3+dfsg-1+deb11u1
CVE ID: CVE-2024-4981 CVE-2024-4982 CVE-2024-47515 CVE-2024-47516
Debian Bug: 1091383
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!