CVE-2019-7628: Pagure version 5.2 leaks API keys by e-mail

[Randy Barlow <randy () electronsweatshop com>]

It was discovered that Pagure[4] 5.2 e-mails full API tokens in e-mails 
that are intended to remind users that the tokens are expiring soon[3].
The vulnerability was introduced in 5.2[0]. There was a partial fix
applied in [1], but that fix still leaked partial keys.

At the time of this writing, a fix is proposed at [2].

There is not yet a released version of Pagure with a fix, but Pagure
administrators can work around this issue by disabling the cron job. It
may be wise to delete all API tokens that may have been e-mailed after
disabling the cron job as a precautionary measure.


[0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe
[1] https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a
[2] https://pagure.io/pagure/pull-request/4254
[3] https://nvd.nist.gov/vuln/detail/CVE-2019-7628
[4] https://pagure.io/pagure

Attachment: signature.asc
Description: This is a digitally signed message part