Created attachment 196065 [details] update gitea port to 1.5.0 Update Gitea to 1.5.0 Release notes: https://blog.gitea.io/2018/08/gitea-1.5.0-is-released/ Three security fixes, general bugfixes, and new features. This port update also contains a small fix for the start script, to properly pass the username of the git system account to Gitea.
Sorry, forgot: Startup script fix hat tip to schmidt@ze.tum.de.
Pending a VuXML entry addition. @maintainer if you can provide that, that would be great.
How can I provide a VuXML entry?
(In reply to stb from comment #3) One creates a new entry in the security/vuxml port then provides a diff of that change. There's a special 'newentry' make target that adds an entry to the xml file with a new uuid for you. There's a 'validate' target to validate the resulting xml. One needs to have 'installed' the vuxml port to install the validation tools. For details on the fields/content values, see: https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#security-notify
More specifically, I have no knowledge of the claimed security fixes, and I have no knowledge of the vulnerabilities that these fixes try to avoid. The only information the Gitea project provides are in the release notes on Github: https://github.com/go-gitea/gitea/releases/tag/v1.5.0 which list four pull requests. I do not feel competent to explain what the problems are, what consequences one might suffer, and how the fixes solve the problem. As far as I can tell, there are no advisories provided by the Gitea project containing such information. I could go through the mechanics of creating an entry, but have no idea what to enter.
(In reply to stb from comment #5) One may just relay what the project provides. In this case there are 3 security fixes, each with pull request/issue descriptions: """ The Gitea project documents 3 fixed security issues: Check that repositories can only be migrated to own user or organizations (#4366) (#4370) Limit uploaded avatar image-size to 4096px x 3072px by default (#4353) Do not allow to reuse TOTP passcode (#3878) """ Add the pull-request/issue url's to <url></url> blocks If there are CVE references, add those as <cvename></cvename> blocks
I will take care of this later today. If there is no vuxml diff by then, I will create the entry, not a problem.
A commit references this bug: Author: flo Date: Sun Aug 12 07:55:09 UTC 2018 New revision: 476973 URL: https://svnweb.freebsd.org/changeset/ports/476973 Log: Document www/gitea vulnerability, with the scarce details provided by Gitea PR: 230512 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: flo Date: Sun Aug 12 08:00:31 UTC 2018 New revision: 476977 URL: https://svnweb.freebsd.org/changeset/ports/476977 Log: Update to 1.5.0 PR: 230512 Submitted by: stb@lassitu.de (maintainer) Security: bcf56a42-9df8-11e8-afb0-589cfc0f81b0 Changes: head/www/gitea/Makefile head/www/gitea/distinfo head/www/gitea/files/gitea.in head/www/gitea/pkg-plist
committed. thanks