Bug 237734 - www/gitea: Update to 1.8.0 (fixes security vulnerabilities)
Summary: www/gitea: Update to 1.8.0 (fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jochen Neumeister
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-03 15:43 UTC by Stefan Bethke
Modified: 2019-05-06 23:17 UTC (History)
3 users (show)

See Also:


Attachments
Patch to update Gitea to 1.8.0 (6.60 KB, patch)
2019-05-03 16:15 UTC, Stefan Bethke
no flags Details | Diff
vuln.xml entry for the security vulnerabilities fixed in 1.8.0 (1.21 KB, patch)
2019-05-03 16:16 UTC, Stefan Bethke
no flags Details | Diff
Update port to 1.8.0 (7.40 KB, patch)
2019-05-04 11:54 UTC, Stefan Bethke
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Bethke 2019-05-03 15:43:44 UTC
Update port to Gitea 1.8.0

Fixes three security vulnerabilities, a large number of bugs, and introduces a large number of new features and enhancements.

Release notes: https://blog.gitea.io/2019/04/gitea-1.8.0-is-released/
Comment 1 Stefan Bethke 2019-05-03 16:15:45 UTC
Created attachment 204195 [details]
Patch to update Gitea to 1.8.0
Comment 2 Stefan Bethke 2019-05-03 16:16:26 UTC
Created attachment 204196 [details]
vuln.xml entry for the security vulnerabilities fixed in 1.8.0
Comment 3 Stefan Bethke 2019-05-04 11:47:07 UTC
Please also add the following entry to UPDATING:

20190503:
  AFFECTS: users of www/gitea
  AUTHOR: stb@lassitu.de

  Gitea requires the addition of another secret to the config file in order to
  start up.  Either manually add JWT_SECRET to the
  ${PREFIX}/etc/gitea/conf/app.ini config file (see app.ini.example), or allow
  Gitea to make the change for you by making the config file writable to the
  git user.
Comment 4 Stefan Bethke 2019-05-04 11:53:43 UTC
Sorry, make that:

20190503:
  AFFECTS: users of www/gitea
  AUTHOR: stb@lassitu.de

  Gitea requires the addition of another secret to the config file in order to
  start up.  Either manually add JWT_SECRET to the
  ${PREFIX}/etc/gitea/conf/app.ini config file (see app.ini.sample), or allow
  Gitea to make the change for you by making the config file writable to the
  git user.

(app.ini.sample is correct)
Comment 5 Stefan Bethke 2019-05-04 11:54:31 UTC
Created attachment 204214 [details]
Update port to 1.8.0

Added a pig-message to inform users about the necessary change to the config file.
Comment 6 commit-hook freebsd_committer freebsd_triage 2019-05-06 08:47:57 UTC
A commit references this bug:

Author: joneum
Date: Mon May  6 08:47:08 UTC 2019
New revision: 500901
URL: https://svnweb.freebsd.org/changeset/ports/500901

Log:
  Add entry for www/gitea

  PR:		237734
  Sponsored by:	Netzkommune GmbH

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer freebsd_triage 2019-05-06 08:52:03 UTC
A commit references this bug:

Author: joneum
Date: Mon May  6 08:51:37 UTC 2019
New revision: 500902
URL: https://svnweb.freebsd.org/changeset/ports/500902

Log:
  www/gitea: Update to 1.8.0

  Changelog: https://blog.gitea.io/2019/04/gitea-1.8.0-is-released/

   - Add UPDATING

  PR:		237734
  Submitted by:	stb@lassitu.de (maintainer)
  MFH:		2019Q2
  Security:	a1de4ae9-6fda-11e9-9ba0-4c72b94353b5
  Sponsored by:	Netzkommune GmbH

Changes:
  head/UPDATING
  head/www/gitea/Makefile
  head/www/gitea/distinfo
  head/www/gitea/files/app.ini.sample.in
  head/www/gitea/pkg-message
  head/www/gitea/pkg-plist
Comment 8 commit-hook freebsd_committer freebsd_triage 2019-05-06 09:10:22 UTC
A commit references this bug:

Author: joneum
Date: Mon May  6 09:09:37 UTC 2019
New revision: 500904
URL: https://svnweb.freebsd.org/changeset/ports/500904

Log:
  Update to 1.8.0

  Changelog: https://blog.gitea.io/2019/04/gitea-1.8.0-is-released/

  PR:		237734
  Submitted by:	stb@lassitu.de (maintainer)
  Approved by:	ports-secteam (joneum)
  Security:	a1de4ae9-6fda-11e9-9ba0-4c72b94353b5
  Sponsored by:	Netzkommune GmbH

Changes:
  branches/2019Q2/www/gitea/Makefile
  branches/2019Q2/www/gitea/distinfo
  branches/2019Q2/www/gitea/files/app.ini.sample.in
  branches/2019Q2/www/gitea/pkg-message
  branches/2019Q2/www/gitea/pkg-plist
Comment 9 Jochen Neumeister freebsd_committer freebsd_triage 2019-05-06 09:10:57 UTC
All done. Thx :-)
Comment 10 Adam Weinberger freebsd_committer freebsd_triage 2019-05-06 10:47:00 UTC
I'm getting some strange errors running this. It appears from the first line that it's looking for app.ini in the wrong directory. Is it doing this for you too?

019/05/06 04:38:26 [W] Custom config '/usr/local/sbin/custom/conf/app.ini' not found, ignore this if you're running first time
2019/05/06 04:38:26 [T] AppPath: /usr/local/sbin/gitea
2019/05/06 04:38:26 [T] AppWorkPath: /usr/local/sbin
2019/05/06 04:38:26 [T] Custom path: /usr/local/sbin/custom
2019/05/06 04:38:26 [T] Log path: /usr/local/sbin/log
2019/05/06 04:38:26 [I] Gitea v1.8.0 built with go1.12.4
2019/05/06 04:38:26 [I] Log Mode: Console(Info)
2019/05/06 04:38:26 [I] XORM Log Mode: Console(Info)
2019/05/06 04:38:26 [I] Cache Service Enabled
2019/05/06 04:38:26 [I] Session Service Enabled
2019/05/06 04:38:26 [I] SQLite3 Supported
2019/05/06 04:38:26 [I] Run Mode: Development
panic: fail to set message file(en-US): open conf/locale/locale_en-US.ini: no such file or directory

goroutine 1 [running]:
code.gitea.io/gitea/vendor/github.com/go-macaron/i18n.initLocales(0xc00013ab35, 0x0, 0x53bf87, 0xb, 0xc00029a690, 0x549e08, 0x12, 0xc000118420, 0x16, 0x16, ...)
        /wrkdirs/usr/ports/www/gitea/work/src/code.gitea.io/gitea/vendor/github.com/go-macaron/i18n/i18n.go:57 +0x6de
code.gitea.io/gitea/vendor/github.com/go-macaron/i18n.I18n(0xc000540300, 0x1, 0x1, 0x0, 0x0)
        /wrkdirs/usr/ports/www/gitea/work/src/code.gitea.io/gitea/vendor/github.com/go-macaron/i18n/i18n.go:158 +0xed
code.gitea.io/gitea/routers/routes.NewMacaron(0xc0001c7900)
        /wrkdirs/usr/ports/www/gitea/work/src/code.gitea.io/gitea/routers/routes/routes.go:126 +0x7af
code.gitea.io/gitea/cmd.runWeb(0xc0001c7900, 0x0, 0x0)
        /wrkdirs/usr/ports/www/gitea/work/src/code.gitea.io/gitea/cmd/web.go:125 +0xae
code.gitea.io/gitea/vendor/github.com/urfave/cli.HandleAction(0x31c280, 0x59aed0, 0xc0001c7900, 0xc0006dafc0, 0x0)
        /wrkdirs/usr/ports/www/gitea/work/src/code.gitea.io/gitea/vendor/github.com/urfave/cli/app.go:471 +0xad
code.gitea.io/gitea/vendor/github.com/urfave/cli.(*App).Run(0xc0000e69c0, 0xc0000b4170, 0x1, 0x1, 0x0, 0x0)
        /wrkdirs/usr/ports/www/gitea/work/src/code.gitea.io/gitea/vendor/github.com/urfave/cli/app.go:246 +0x574
main.main()
        /wrkdirs/usr/ports/www/gitea/work/src/code.gitea.io/gitea/main.go:57 +0x426
Comment 11 Stefan Bethke 2019-05-06 10:55:58 UTC
(In reply to Adam Weinberger from comment #10)
Are you trying to run the Gitea binary directly from the command line? That only works if you supply the command line parameters pretty much the same way the start script does.

It would be nice if Gitea would be changed to behave more like a regular daemon, but I haven't had the time to work out any patches, and it seems to me it's not really a priority for the dev team; they're much more interested in the way Docker runs an application (foregruound, log stdout, etc.)
Comment 12 Adam Weinberger freebsd_committer freebsd_triage 2019-05-06 23:13:14 UTC
`service gitea start` just dumps right back to the command-line and gitea doesn't start.

That output came from running what the rc script does:
/usr/sbin/daemon -S -l daemon -s debug -T gitea -u git -p /var/run/gitea.pid /usr/bin/env -i GITEA_WORK_DIR=/usr/local/share/gitea GITEA_CUSTOM=/usr/local/etc/gitea HOME=/home/git PATH=/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin USER=git /usr/local/sbin/gitea web
Comment 13 Adam Weinberger freebsd_committer freebsd_triage 2019-05-06 23:17:30 UTC
Ignore the above. I rebooted and it's happy now. Sorry for the noise.