Created attachment 248478 [details] Patch 1.21.5 Update to 1.21.5 and include a vuxml update for the vulnerability
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=41926dd0b36d937621ba2596f6957e1ca70b14a6 commit 41926dd0b36d937621ba2596f6957e1ca70b14a6 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2024-02-16 08:35:46 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2024-02-16 08:48:14 +0000 security/vuxml: document www/gitea vulnerability Prevent anonymous container access if RequireSignInView is enabled PR: 277066 security/vuxml/vuln/2024.xml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a68308673e12c6cc3dda0a622ed967e49c7a33f5 commit a68308673e12c6cc3dda0a622ed967e49c7a33f5 Author: Paul Armstrong <freebsd@otoh.org> AuthorDate: 2024-02-16 08:27:38 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2024-02-18 16:32:31 +0000 www/gitea: update to 1.21.5 (fixes security vulnerabilities) ChangeLog: https://github.com/go-gitea/gitea/releases/tag/v1.21.5 SECURITY * Prevent anonymous container access if RequireSignInView is enabled * Update go dependencies and fix go-git BUGFIXES * Revert "Speed up loading the dashboard on mysql/mariadb * Fix an actions schedule bug * Fix update enable_prune even if mirror_interval is not provided * Fix uploaded artifacts should be overwritten * Preserve BOM in web editor * Strip / from relative links * Don't remove all mirror repository's releases when mirroring * Implement MigrateRepository for the actions notifier * Respect branch info for relative links * Don't reload timeline page when (un)resolving or replying conversation * Only migrate the first 255 chars of a Github issue title * Fix sort bug on repository issues list * Fix DeleteCollaboration transaction behaviour * Fix schedule not trigger bug because matching full ref name with short ref name * Fix migrate storage bug * Fix archive creating LFS hooks and breaking pull requests * Fix reverting a merge commit failing * Upgrade xorm to v1.3.7 to fix a resource leak problem caused by Iterate * Fix incorrect PostgreSQL connection string for Unix sockets ENHANCEMENTS * Make loading animation less aggressive * Avoid duplicate JS error messages on UI * Bump @github/relative-time-element to 4.3.1 MISC * Warn that DISABLE_QUERY_AUTH_TOKEN is false only if it's explicitly defined * Remove duplicated checkinit on git module PR: 277066 Reported by: freebsd@otoh.org MFH: 2024Q1 (security fixes, bug fixes) www/gitea/Makefile | 3 +-- www/gitea/distinfo | 7 ++++--- 2 files changed, 5 insertions(+), 5 deletions(-)
A commit in branch 2024Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9e8ea86002aa7b344a1f8ed44d9e470b56f76d37 commit 9e8ea86002aa7b344a1f8ed44d9e470b56f76d37 Author: Paul Armstrong <freebsd@otoh.org> AuthorDate: 2024-02-16 08:27:38 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2024-02-18 16:34:33 +0000 www/gitea: update to 1.21.5 (fixes security vulnerabilities) ChangeLog: https://github.com/go-gitea/gitea/releases/tag/v1.21.5 SECURITY * Prevent anonymous container access if RequireSignInView is enabled * Update go dependencies and fix go-git BUGFIXES * Revert "Speed up loading the dashboard on mysql/mariadb * Fix an actions schedule bug * Fix update enable_prune even if mirror_interval is not provided * Fix uploaded artifacts should be overwritten * Preserve BOM in web editor * Strip / from relative links * Don't remove all mirror repository's releases when mirroring * Implement MigrateRepository for the actions notifier * Respect branch info for relative links * Don't reload timeline page when (un)resolving or replying conversation * Only migrate the first 255 chars of a Github issue title * Fix sort bug on repository issues list * Fix DeleteCollaboration transaction behaviour * Fix schedule not trigger bug because matching full ref name with short ref name * Fix migrate storage bug * Fix archive creating LFS hooks and breaking pull requests * Fix reverting a merge commit failing * Upgrade xorm to v1.3.7 to fix a resource leak problem caused by Iterate * Fix incorrect PostgreSQL connection string for Unix sockets ENHANCEMENTS * Make loading animation less aggressive * Avoid duplicate JS error messages on UI * Bump @github/relative-time-element to 4.3.1 MISC * Warn that DISABLE_QUERY_AUTH_TOKEN is false only if it's explicitly defined * Remove duplicated checkinit on git module PR: 277066 Reported by: freebsd@otoh.org MFH: 2024Q1 (security fixes, bug fixes) (cherry picked from commit a68308673e12c6cc3dda0a622ed967e49c7a33f5) www/gitea/Makefile | 2 +- www/gitea/distinfo | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-)
Committed, Thanks!