Bug 254130 - www/gitea: Update to 1.13.4 (fixes security vulnerabilities)
Summary: www/gitea: Update to 1.13.4 (fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Neel Chauhan
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-08 10:37 UTC by Stefan Bethke
Modified: 2021-03-11 14:02 UTC (History)
5 users (show)

See Also:
fernape: merge-quarterly+


Attachments
Update Gitea port to 1.13.4 (895 bytes, patch)
2021-03-08 10:44 UTC, Stefan Bethke
no flags Details | Diff
VuXML entry for Gitea before 1.13.4 (1.51 KB, patch)
2021-03-08 10:44 UTC, Stefan Bethke
fluffy: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Bethke 2021-03-08 10:37:11 UTC
Release 1.13.3 and 1.13.4 fix two security issues, and 22 bugs.

Release notes:
- https://blog.gitea.io/2021/03/gitea-1.13.3-is-released/
- https://blog.gitea.io/2021/03/gitea-1.13.4-is-released/
Comment 1 Stefan Bethke 2021-03-08 10:42:42 UTC
[vagrant@porttest-13 ~/vuxml]$ make validate
/bin/sh /usr/home/vagrant/vuxml/files/tidy.sh "/usr/home/vagrant/vuxml/files/tidy.xsl" "/usr/home/vagrant/vuxml/vuln-flat.xml" > "/usr/home/vagrant/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/home/vagrant/vuxml/vuln-flat.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python3.7 /usr/home/vagrant/vuxml/files/extra-validation.py /usr/home/vagrant/vuxml/vuln-flat.xml
Warning: description too long (6137 chars, 5000 is warning threshold): f00b65d8-7ccb-11eb-b3be-e09467587c17)

The warning concerns an older, pre-existing entry.
Comment 2 Stefan Bethke 2021-03-08 10:44:10 UTC
Created attachment 223089 [details]
Update Gitea port to 1.13.4
Comment 3 Stefan Bethke 2021-03-08 10:44:36 UTC
Created attachment 223090 [details]
VuXML entry for Gitea before 1.13.4
Comment 4 Fernando Apesteguía freebsd_committer freebsd_triage 2021-03-08 11:34:45 UTC
^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field.

^Triage: Please set the maintainer-approval attachment flag (to +) on patches for ports you maintain to signify approval.
--
Attachment -> Details -> maintainer-approval [+]


Thanks!
Comment 5 commit-hook freebsd_committer freebsd_triage 2021-03-10 18:46:09 UTC
A commit references this bug:

Author: nc
Date: Wed Mar 10 18:45:25 UTC 2021
New revision: 568030
URL: https://svnweb.freebsd.org/changeset/ports/568030

Log:
  Document vulnerabilities in www/gitea < 1.13.4

  PR:		254130
  Submitted by:	stb AT lassitu DOT de (maintainer)

Changes:
  head/security/vuxml/vuln.xml
Comment 6 commit-hook freebsd_committer freebsd_triage 2021-03-10 18:49:11 UTC
A commit references this bug:

Author: nc
Date: Wed Mar 10 18:48:44 UTC 2021
New revision: 568031
URL: https://svnweb.freebsd.org/changeset/ports/568031

Log:
  www/gitea: Update to 1.13.4

  This update fixes security vulnerabilities

   * https://blog.gitea.io/2021/03/gitea-1.13.3-is-released/
   * https://blog.gitea.io/2021/03/gitea-1.13.4-is-released/

  PR:		254130
  Submitted by:	stb AT lassitu DOT de (maintainer)
  MFH:		2021Q1
  Security:	502ba001-7ffa-11eb-911c-0800278d94f

Changes:
  head/www/gitea/Makefile
  head/www/gitea/distinfo
Comment 7 Neel Chauhan freebsd_committer freebsd_triage 2021-03-10 18:49:52 UTC
Committed and MFH'd!
Comment 8 commit-hook freebsd_committer freebsd_triage 2021-03-10 18:50:12 UTC
A commit references this bug:

Author: nc
Date: Wed Mar 10 18:49:37 UTC 2021
New revision: 568032
URL: https://svnweb.freebsd.org/changeset/ports/568032

Log:
  MFH: r568031

  www/gitea: Update to 1.13.4

  This update fixes security vulnerabilities

   * https://blog.gitea.io/2021/03/gitea-1.13.3-is-released/
   * https://blog.gitea.io/2021/03/gitea-1.13.4-is-released/

  PR:		254130
  Submitted by:	stb AT lassitu DOT de (maintainer)
  Security:	502ba001-7ffa-11eb-911c-0800278d94f
  Approved by:	portmgr (security blanket)

Changes:
_U  branches/2021Q1/
  branches/2021Q1/www/gitea/Makefile
  branches/2021Q1/www/gitea/distinfo
Comment 9 Cluboq 2021-03-10 23:26:38 UTC
Looks like there is a typo in the VuXML patch: minimum fixed version is erroneously 1.13.24 instead of 1.13.4.

That causes the updated port being mistakenly flagged as vulnerable.
Comment 10 Stefan Bethke 2021-03-11 06:17:47 UTC
(In reply to Cluboq from comment #9)

You are correct, thanks for spotting that!

Neel, do I need to update the patch, or can you fix the line in the vuxml directly?

Instead of
       <range><lt>1.13.24</lt></range>
it should be
       <range><lt>1.13.4</lt></range>


Stefan
Comment 11 commit-hook freebsd_committer freebsd_triage 2021-03-11 14:02:30 UTC
A commit references this bug:

Author: fernape
Date: Thu Mar 11 14:01:40 UTC 2021
New revision: 568095
URL: https://svnweb.freebsd.org/changeset/ports/568095

Log:
  security/vuxml: Fix www/gitea entry.

  s/1.13.24/1.13.4

  PR:	254130
  Reported by:	clubok@gmx.net

Changes:
  head/security/vuxml/vuln.xml
Comment 12 Fernando Apesteguía freebsd_committer freebsd_triage 2021-03-11 14:02:51 UTC
Entry fixed.

Thanks!