Attachment #247026 for bug #275742




  <vuln vid="482bb980-99a3-11ee-b5f7-6bd56600d90c">
    <topic>gitea -- missing permission checks</topic>
    <affects>
      <package>
	<name>gitea</name>
	<range><lt>1.21.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The Gitea team reports:</p>
	<blockquote cite="https://github.com/go-gitea/gitea/pull/28406">
	  <p>Fix missing check</p>
	</blockquote>
	<blockquote cite="https://github.com/go-gitea/gitea/pull/28423">
	  <p>Do some missing checks</p>
	</blockquote>
        <p>By crafting an API request, attackers can access the contents of
        issues even though the logged-in user does not have access rights to
        these issues.</p>
      </body>
    </description>
    <references>
      <url>https://github.com/go-gitea/gitea/releases/tag/v1.21.2</url>
    </references>
    <dates>
      <discovery>2023-08-30</discovery>
      <entry>2023-09-10</entry>
    </dates>
  </vuln>

  <vuln vid="8eefff69-997f-11ee-8e38-002590c1f29c">
    <topic>FreeBSD -- NFS client data corruption and kernel memory disclosure</topic>
    <affects>

Lines 1-7 Link Here

(-)b/www/gitea/Makefile (-2 / +1 lines)
1	PORTNAME= gitea	1	PORTNAME= gitea
2	DISTVERSIONPREFIX= v	2	DISTVERSIONPREFIX= v
3	DISTVERSION= 1.21.0	3	DISTVERSION= 1.21.2
4	PORTREVISION= 1
5	CATEGORIES= www	4	CATEGORIES= www
6	MASTER_SITES= https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \	5	MASTER_SITES= https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \
7	https://dl.gitea.io/gitea/${DISTVERSION}/	6	https://dl.gitea.io/gitea/${DISTVERSION}/

Lines 1-3 Link Here

(-)b/www/gitea/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1699991932	1	TIMESTAMP = 1702463449
2	SHA256 (gitea-src-1.21.0.tar.gz) = 69b12778b3b5f24aecff08d8e5122e4edf784bda2e4335b77f2bbd0404a11a93	2	SHA256 (gitea-src-1.21.2.tar.gz) = fb31b8b722634b0a1c2035703a3e1187017b87fe96042386ffa8f80750035dab
3	SIZE (gitea-src-1.21.0.tar.gz) = 53744981	3	SIZE (gitea-src-1.21.2.tar.gz) = 53795805




[
{ type: upgrade
  maximum_version: 1.20.0
  message: <<EOM
Please make sure to empty or maintain the contents of the
/usr/local/share/gitea folder between your upgrades of gitea.
Changes between versions can break the web UI due to residual
files from earlier versions.

1.21.0 has a breaking change regarding the public assets folder. In case
you use a proxying webserver serving the files, you need to update your
configuration:

https://github.com/go-gitea/gitea/pull/25907
EOM
}
{ type: upgrade
  maximum_version: 1.7.6
  message: <<EOM

Return to bug 275742

Lines 1-3 Link Here

(-)b/security/vuxml/vuln/2023.xml (+31 lines)
		1	<vuln vid="482bb980-99a3-11ee-b5f7-6bd56600d90c">
		2	<topic>gitea -- missing permission checks</topic>
		3	<affects>
		4	<package>
		5	<name>gitea</name>
		6	<range><lt>1.21.2</lt></range>
		7	</package>
		8	</affects>
		9	<description>
		10	<body xmlns="http://www.w3.org/1999/xhtml">
		11	<p>The Gitea team reports:</p>
		12	<blockquote cite="https://github.com/go-gitea/gitea/pull/28406">
		13	<p>Fix missing check</p>
		14	</blockquote>
		15	<blockquote cite="https://github.com/go-gitea/gitea/pull/28423">
		16	<p>Do some missing checks</p>
		17	</blockquote>
		18	<p>By crafting an API request, attackers can access the contents of
		19	issues even though the logged-in user does not have access rights to
		20	these issues.</p>
		21	</body>
		22	</description>
		23	<references>
		24	<url>https://github.com/go-gitea/gitea/releases/tag/v1.21.2</url>
		25	</references>
		26	<dates>
		27	<discovery>2023-08-30</discovery>
		28	<entry>2023-09-10</entry>
		29	</dates>
		30	</vuln>
		31
1	<vuln vid="8eefff69-997f-11ee-8e38-002590c1f29c">	32	<vuln vid="8eefff69-997f-11ee-8e38-002590c1f29c">
2	<topic>FreeBSD -- NFS client data corruption and kernel memory disclosure</topic>	33	<topic>FreeBSD -- NFS client data corruption and kernel memory disclosure</topic>
3	<affects>	34	<affects>

Lines 1-4 Link Here

(-)b/www/gitea/pkg-message (+15 lines)
1	[	1	[
		2	{ type: upgrade
		3	maximum_version: 1.20.0
		4	message: <<EOM
		5	Please make sure to empty or maintain the contents of the
		6	/usr/local/share/gitea folder between your upgrades of gitea.
		7	Changes between versions can break the web UI due to residual
		8	files from earlier versions.
		9
		10	1.21.0 has a breaking change regarding the public assets folder. In case
		11	you use a proxying webserver serving the files, you need to update your
		12	configuration:
		13
		14	https://github.com/go-gitea/gitea/pull/25907
		15	EOM
		16	}
2	{ type: upgrade	17	{ type: upgrade
3	maximum_version: 1.7.6	18	maximum_version: 1.7.6
4	message: <<EOM	19	message: <<EOM