Created attachment 243263 [details] Update port and vuxml Update gitea to 1.19.4 This release contains one security fix as well as a large number of enhancments and bug fixes. See the release notes for details. Release notes: https://github.com/go-gitea/gitea/releases/tag/v1.19.4
Thanks for the vuxml entry, is very appreciated! A minor thing: >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... --- /data/fernape_data/FreeBSD-repos/ports/security/vuxml/vuln-flat.xml 2023-07-05 13:33:08.077976000 +0200 +++ /data/fernape_data/FreeBSD-repos/ports/security/vuxml/vuln.xml.unexpanded 2023-07-05 13:33:11.862756000 +0200 @@ -91,7 +91,7 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>The Gitea team reports:</p> <blockquote cite="https://github.com/go-gitea/gitea/pull/25143"> - <p>If redirect_to parameter has set value starting with + <p>If redirect_to parameter has set value starting with \\example.com redirect will be created with header Location: /\\example.com that will redirect to example.com domain.</p> </blockquote> ... see above there was an extra space after "with". Always run "make validate" from security/vuxml. No need to update a new patch!
^Triage: Maintainer-feedback flag (+) not required unless requested (?) first.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0609a03e4b94368b5410503906f05eaec542e2c7 commit 0609a03e4b94368b5410503906f05eaec542e2c7 Author: Stefan Bethke <stb@lassitu.de> AuthorDate: 2023-07-05 11:36:51 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-07-06 06:23:28 +0000 www/gitea: Update to 1.19.4 (fixes security vulnerabilities) ChangeLog: https://github.com/go-gitea/gitea/releases/tag/v1.19.4 SECURITY * Fix open redirect check for more cases API * Return 404 in the API if the requested webhooks were not found * Fix organization field being null in GET /api/v1/teams/{id} ENHANCEMENTS * Set --font-weight-bold to 600 * Make mailer SMTP check have timed context * Do not select line numbers when selecting text from the action run logs BUGFIXES * Fix bug when change user name * Fix task list checkbox toggle to work with YAML front matter * Hide limited users if viewed by anonymous ghost * Add WithPullRequest for actionsNotifier * Fix parallelly generating index failure with Mysql * GitLab migration: Sanitize response for reaction list * Fix users cannot visit issue attachment bug * Fix missing reference prefix of commits when sync mirror repository * Only validate changed columns when update user * Make DeleteIssue use correct context * Fix topics deleted via API not being deleted in org page * Fix Actions being enabled accidentally * Fix missed table name on iterate lfs meta objects * Fix safari cookie session bug * Respect original content when creating secrets * Fix Pull Mirror out-of-sync bugs * Fix run list broken when trigger user deleted * Fix issues list page multiple selection update milestones * Fix: release page for empty or non-existing target * Fix close org projects * Refresh the refernce of the closed PR when reopening * Fix the permission of team's Actions unit issue * Bump go.etcd.io/bbolt and blevesearch deps * Fix new wiki page mirror * Match unqualified references when syncing pulls as well DOCS * Change branch name from master to main in some documents' links * Remove unnecessary content on docs * Unify doc links to use paths relative to doc folder * Fix docs documenting invalid @every for OLDER_THAN cron settings MISC * Merge different languages for language stats * Hiding Secrets options when Actions feature is disabled * Improve decryption failure message * Makefile: Use portable !, not GNUish -not, with find(1). PR: 272380 Reported by: stb@lassitu.de MFH: 2023Q3 (security fix) www/gitea/Makefile | 2 +- www/gitea/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch 2023Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b72fcf2103b73946265f42d1a03d0df5ff056686 commit b72fcf2103b73946265f42d1a03d0df5ff056686 Author: Stefan Bethke <stb@lassitu.de> AuthorDate: 2023-07-05 11:36:51 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-07-06 06:24:34 +0000 www/gitea: Update to 1.19.4 (fixes security vulnerabilities) ChangeLog: https://github.com/go-gitea/gitea/releases/tag/v1.19.4 SECURITY * Fix open redirect check for more cases API * Return 404 in the API if the requested webhooks were not found * Fix organization field being null in GET /api/v1/teams/{id} ENHANCEMENTS * Set --font-weight-bold to 600 * Make mailer SMTP check have timed context * Do not select line numbers when selecting text from the action run logs BUGFIXES * Fix bug when change user name * Fix task list checkbox toggle to work with YAML front matter * Hide limited users if viewed by anonymous ghost * Add WithPullRequest for actionsNotifier * Fix parallelly generating index failure with Mysql * GitLab migration: Sanitize response for reaction list * Fix users cannot visit issue attachment bug * Fix missing reference prefix of commits when sync mirror repository * Only validate changed columns when update user * Make DeleteIssue use correct context * Fix topics deleted via API not being deleted in org page * Fix Actions being enabled accidentally * Fix missed table name on iterate lfs meta objects * Fix safari cookie session bug * Respect original content when creating secrets * Fix Pull Mirror out-of-sync bugs * Fix run list broken when trigger user deleted * Fix issues list page multiple selection update milestones * Fix: release page for empty or non-existing target * Fix close org projects * Refresh the refernce of the closed PR when reopening * Fix the permission of team's Actions unit issue * Bump go.etcd.io/bbolt and blevesearch deps * Fix new wiki page mirror * Match unqualified references when syncing pulls as well DOCS * Change branch name from master to main in some documents' links * Remove unnecessary content on docs * Unify doc links to use paths relative to doc folder * Fix docs documenting invalid @every for OLDER_THAN cron settings MISC * Merge different languages for language stats * Hiding Secrets options when Actions feature is disabled * Improve decryption failure message * Makefile: Use portable !, not GNUish -not, with find(1). PR: 272380 Reported by: stb@lassitu.de MFH: 2023Q3 (security fix) (cherry picked from commit 0609a03e4b94368b5410503906f05eaec542e2c7) www/gitea/Makefile | 2 +- www/gitea/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=abe49b255fe64c279dd8ce95fba1fbfc7a3daeeb commit abe49b255fe64c279dd8ce95fba1fbfc7a3daeeb Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-07-05 12:55:36 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-07-06 06:30:38 +0000 security/vuxml: update www/gitea vulnerability Avoid open HTTP redirects. PR: 272380 security/vuxml/vuln/2023.xml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+)
Committed, Thanks!