Bug 279250 - www/forgejo: update to 7.0.3 (fixes security vulnerability)
Summary: www/forgejo: update to 7.0.3 (fixes security vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Fernando Apesteguía
URL: https://codeberg.org/forgejo/forgejo/...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-23 12:49 UTC by Stefan Bethke
Modified: 2024-05-24 17:55 UTC (History)
1 user (show)

See Also:


Attachments
update port to 7.0.3 (2.79 KB, patch)
2024-05-23 12:49 UTC, Stefan Bethke
fernape: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Bethke 2024-05-23 12:49:12 UTC
Created attachment 250899 [details]
update port to 7.0.3

Update port to 7.0.3

Release Notes: https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-3

Bump also necessary because of go122 1.22.3

While here, add required (but so far missing) directories to plist.
Comment 1 Fernando Apesteguía freebsd_committer freebsd_triage 2024-05-23 15:46:46 UTC
^Triage: Maintainer-feedback flag (+) not required unless requested (?) first.
^Triage: Please set the maintainer-approval attachment flag (to +) on patches for ports you maintain to signify approval.

Thanks!
Comment 2 Fernando Apesteguía freebsd_committer freebsd_triage 2024-05-24 06:34:10 UTC
====> Running Q/A tests (stage-qa)
====> Checking for pkg-plist issues (check-plist)
===> Parsing plist
===> Checking for items in STAGEDIR missing from pkg-plist
Error: Orphaned: @dir /var/db/forgejo/data
===> Checking for items in pkg-plist which are not in STAGEDIR
===> Error: Plist issues found.
*** Error code 1

/var/db/forgejo/data was created in the makefile but it is not handled in the pkg-plist. No need to update a new patch, I have it fixed locally. You can just use poudriere to catch these things, it is a great tool :-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-05-24 17:51:15 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=b7a05632d12830f7ee8020e7006eb9e5ef3c5305

commit b7a05632d12830f7ee8020e7006eb9e5ef3c5305
Author:     Stefan Bethke <stb@lassitu.de>
AuthorDate: 2024-05-23 15:47:24 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2024-05-24 17:50:09 +0000

    www/forgejo: update to 7.0.3 (fixes CVE)

    ChangeLog:
    https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-3

    PR:             279250
    Reported by:    stb@lassitu.de (maintainer)
    MFH:            2024Q2 (security fix)
    Security:       CVE-2024-24788

 www/forgejo/Makefile  | 6 +++++-
 www/forgejo/distinfo  | 6 +++---
 www/forgejo/pkg-plist | 5 +++++
 3 files changed, 13 insertions(+), 4 deletions(-)
Comment 4 Fernando Apesteguía freebsd_committer freebsd_triage 2024-05-24 17:55:19 UTC
Committed,

Not merging to 2024Q2 since this is a major version change and the bug is not present (in Q2 we have go 1.21 and the bug was introduced in go 1.22).

Thanks!